Introduction
If the infrastructure would like to provide services using X.509 authentication to the users without forcing users to have and manage their own X.509 certificates the CILogon service can be used. One of the AARC pilot deployed CILogon service under the RCAuth.eu label. RCAuth.eu service is able to request group membership and roles from VOMS service and inject them into the X.509 proxy certificate which is generated for the user. RCAuth.eu generates the X.509 certificates for the users on the fly, so there is no possibility to provision users' information into VOMS in advance. We have setup pilot which demonstrates combination of Perun, RCAuth.eu and VOMS to provide X.509 proxy certificates from RCAuth.eu with VOMS extensions. We have selected ELIXIR AAI infrastructure to pilot that use case.
Detailed description
You can find detailed information about RCAuth.eu <here>. What is needed is to provision information about the users into the VOMS service. Perun as an IAM system is the core component which manages users, groups and resources. Users register into the Perun system where they are organised into the groups and also roles can be assigned to them. VOMS service uses X.509 DN as an identification of the users, so we need to know how the DN will look like of every registered users. Because the algorithm how the RCAuth.eu generated the DN is known we have configured Perun to be able to generate exactly the same DN for every registered user. Perun is then actively provision using push to the VOMS service all registered users and their group membership and roles information. When the user would like to request X.509 proxy certificate from RCAuth.eu, the RCAuth.eu contacts the VOMS service which already know the user, so it can reply with all the information about the user. User then have the X.509 proxy certificate with VOMS extensions which can be used for example in EGI fedCloud where user's membership is used for authorisation decision.
Schema