SAML proxies are increasingly being used to easily connect all of a collaboration's resources into the eduGAIN network and this would demonstrate it's success for a large, established collaboration. The AARC Blueprint Architecture is important in shaping the design and features of this pilot.
Following discussions within the LSC Identity and Access Management group it was decided that the pilot will deploy SATOSA and pyFF to create a SAML proxy between the eduGAIN institutional identity providers and the LSC's service providers. SATOSA will act as the central SAML Proxy of the project, while pyFF will be used to aggregate SAML metadata from Edugain and the LSC, and also provide the discovery service interface. This would allow LSC and Virgo members to use their institutional credentials to access LSC resources directly. Institutional identities would be mapped to a user's albert.einstein identity via an account linking step, so that LIGO specific information; in particular group and identity information would be connected to the user identity.
A pilot instance was deployed registered in the eduGAIN metadata and underwent extensive testing using a number of existing LSC resources. Within the pilot, account linking between institutional identities and a user LSC identity was performed using a manual administration step.
Demonstration of the discovery service in action.
Going forward an instance of COManage will be deployed to handle the account linking workflow, as well as more aspects of user management currently handled by a number of custom applications. To move the pilot into production the SATOSA and PyFF services must be deployed in a fault tolerant manner. The LSC has recently deployed a cloud based instance of the main Identity Provider, and we will be take a similar approach to deploy this suite of components.