TCS Portal Project description
The portal uses the tailor made Confusa software.
ACOnet, CSC, CESnet, Forskningsnettet, GARR, RENATER, SUnet, SURFnet, UNINETT
Project coordination: Jan Meijer
Operations: Teun Nijssen, Thijs Kinkhorst
Software development: Henrik Austad, Thomas Zangerl
-uptime (99.8x on 99.9x infra), 17 hours unscheduled downtime
-2x2 virtual machines on separate physical hardware
Confusa's authentication mechanisms are largely based upon simpleSAMLphp. simplesamlphp is a server software written in PHP, implementing, among other things, SAML SPs, SAML IdPs, metadata handling and IdP discovery. Confusa's framework hooks into the simpleSAMLphp authentication classes to establish the identity of the user. Once Confusa receives the attributes of the end-user, it "decorates" a specific model class, called Person with the obtained attributes. This process is shown here:
All other classes of Confusa will attempt to retrieve end-user identity information from that shared class. Due to the fact that Confusa is written in PHP and objects do not persist in PHP between two successive site views, the decoration happens on every site-rendering. Thus we can ensure at every access attempt of resources that the user is still freshly authenticated.
Accepting attribute heterogeneity, Confusa offers subscriber and NREN administrators the possibility to define their own mapping from the required information to federation attributes. The map will be stored in connection with the
NRENs and consulted upon Person decoration (see above). The following algorithm is used to decorate the central Person object with the correct attributes (see also the graphic below):
Definition of Confusa's attribute map:
The person decoration process using the attribute map:
The following graphic illustrates the data flow in Confusa upon certificate request:
Especially noteworthy is the fact that the original subject-DN of the certificate signing request is not preserved. Instead the subject-DN is constructed from the decorated Person object, as described in the section "Workflow upon authenticating users".