Versions Compared

Old Version 1

changes.mady.by.user Unknown User (tzangerl@pdc.kth.se)

Saved on

compared with

New Version Current

changes.mady.by.user Unknown User (tzangerl@pdc.kth.se)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

  1. It needs to be made clear whether the NREN wants to join the Personal, eScience or both portals. In general you want both, as your customers can  decide per individual person which certificate he can reqiuest. If you have
    no relations to the eScience Grid community ask for only normal Personal. The other option can always be added later
    can always add the other option later. The annual TERENA fee buys both types.
  2. The NREN needs to import our metadata into its federation IdP:
    1. eScience metadata
    2. Personal metadata
  3. Similarly, we need to install the metadata from your NREN federation so we can add it to the portal(s). Please provide the URL to operations.
  4. The NREN needs to export the correct attributes to us. Required are:
    1. eduPersonPrincipalName. This eduPersonPrincipalName needs to contain a globally unique persistent tag. Typically examples are '1234567@uvt.nl' or 'frits@uninett.no'. This is not a mail address. The '@university.country' takes care of global uniqueness; the text in the first part might be a username or an administration number. Persistence means that once a particular principalName has ever been used for a person, it must not ever be used for another person.
    2. eduPersonEntitlement, containing urn:mace:terena.org:tcs:escience-user and/or urn:mace:terena.org:tcs:personal-user.
      Note: this value must only be set for users that are guaranteed to have a passport-verified identity! People need not be re-authenticated using passport if that was done earlier. Test identities are strictly forbidden, as are pseudonyms.
    3. Additionally, for the NREN and Subscriber admins, the values :escience-admin/personal-admin are required.
    4. schacHomeOrganization OR eduPersonOrgDN identifying the institution/subscriber of the person within the NREN. E.g. for schacHomeOrganization "uvt.nl", or for eduPersonOrgDN "o=Hogwarts, dc=hsww, dc=wiz".
    5. some representation of the full name (e.g.: 'cn', but can be differently named attribute). This full name will be the Common Name of the issued certificate. Examples of a Common Name: "S. Kramer" or "Thijs Nijssen".
    6. the user's email address (e.g.: attribute 'mail', but can be a differently named attribute). Email addresses end up in the certificate. On a per NREN base, the portal can be configured to support more than one mail address.
  5. Send the portal operators the eduPersonPrincipalName of the initial NREN admin. That admin can then add other admins, Subscribers(institutions) and subcriber admins.
  6. On a per NREN base we the validity period of a certificate can be set to one, two or three years. This value can be modified; we suggest you start with a one year period; please tell us your preference.

...