Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »


The purpose of this pilot is to build a setup in which users can access X.509-based resources without the need for them to understand the intricacies of a PKI. The pilot requires an online CA, plus a scalable trust model applicable for the multi-infrastructure-multi-federation European research landscape.

A high-level introduction is given in the this AARC blog post

Detailed description

A detailed description can be found in these wiki pages.

The setup consists of

  • An online CA:
  • Several Master Portals, run by e.g. EGI, ELIXIR.
  • Many VO-portal, also known as Science Gateways.

The online CA is a service provider which has entered eduGAIN, and has as CA been accredited by IGTF (as a so-called IOTA CA). In order to protect the service, a filtering WAYF has been implemented which only accepts Identity Providers that publish the R&S set of attributes and are conforming to the Sirtfi. The combined service is running on a production level. The Master Portals run by EGI and ELIXIR are running as pilot services.


We have created two demonstrator Master Portal clients, which talk to a semi-production Master Portal (running for EGI), serviced by the production online CA. We also have setup a test VOMS service with test VO, to test and showcase the integration with a VOMS attribute authority. The two demonstrators are:

  1. a simple PHP program showing the basic API and handshake, with a possibility to execute the same demonstrator code. The code additionally shows how to integrate with VOMS or how to specify a specific IdP at the WAYF.
  2. a simple Science Gateway allowing access to a gsiftp-enabled storage service (a test dCache instance, This shows how X.509-based storage elements can be accessed using a science gateway, where authorization is based on VOMS attributes (group membership etc.).


  • online CA is based on CILogon-software from the US-based CILogon project. A few adaptations had to be made to conform to European privacy regulations. The backend CA is based on a myproxy-server with an eToken as simple HSM plus some extra software to run the CA on a separate network.
  • The Master Portal is also based on the same software, implementing simultaneously an OA4MP client and server plus glue to connect the two. It has a backend myproxy-server for credential caching.

The adaptations of the code for this pilot can be found on the github repository


  • ansible scripts for setting up a Delegation Server (online CA) or a Master Portal
  • SimpleSAMLPHP has been used to build a filtering WAYF.
  • A VOMS server to run a test VO.
  • some simple PHP clients to test the flow and make a demonstrator.
  • No labels