...
For the purpose of this pilot, we have enabled federated access to the dashboard of a demo OpenStack Cloud deployment. Specifically, the pilot IdP proxy has been configured to authenticate users and communicate the result of the authentication to OpenStack's Identity service (Keystone) using SAML assertions. The SAML assertions are then mapped to keystone user groups, based on which, the authenticating user can access cloud resources using their federated AARC ID.
Registration/Login Workflow
| 1. | Access OpenStack's Dashboard (Horizon) at https://am02.pilots.aarc-project.eu/horizon |  |
| 2. | Click Connect and select your Identity Provider from the discovery page (WAYF). You may select any of the following options:
|  |
| 3. | Enter your login credentials to authenticate yourself with the IdP of your Home Organisation (e.g. Google) |  |
| 4. | After successful authentication, you may be prompted by your Home Organisation to consent to the release of personal information to the EGI AAI Service Provider Proxy | |
| 5. | On the EGI AAI Consent about releasing personal information page, click Yes, continue to consent to the release of personal information to the EGI User Account Registry. If you select the Remember option, your browser will remember your choice unless you clear your cookies or restart the browser. |  |
| 6. | If this is your first time logging in, you will be redirected to the AARC Pilot User Community Sign Up page after successful authentication. Alternatively, you may access the sign up page directly by visiting: |  |
| 7. | Depending on the LoA and/or attributes released by your Home IdP, there are two sign up workflows:
|
|
| 8. | On the registration form, click Review Terms and Conditions | |
| 9. | If you agree to the Terms of Use, select the I Agree option. Important: You will not be able to agree to the terms until you review them! | |
| 10. | Finally, click Submit to submit your request. Important: You will not be able to submit your request until you agree to the terms! |  |
| 11. | After submitting your request, you will receive an email with a verification link in it. After you click that link, you'll be taken to the request confirmation page. |  |
| 12. | After reviewing your request, click Confirm and re-authenticate yourself using the Identity Provider you selected in Step 2. |  |
| 13. | If your sign up request requires approval (see Step 7), the Sponsor(s) of the VO will be notified via email. You will need to wait for a Sponsor to approve your request to join the AARC Pilot User Community. Upon approval, you will receive a notification email. |  |
| 14. | After your registration has been completed, you can manage your profile through the Account Registry portal at https://aai-dev.egi.eu/registry |
|
| 15. | Relogin to OpenStack's dashboard at https://am02.pilots.aarc-project.eu/horizon. You will be mapped to a Keystone user group based on the values of the eduPersonEntitlement attribute |  |
Identity Linking Workflow
Identity linking allows users to access federated resources with their existing personal AARC ID, using any of the login credentials they have linked to their account. To link a new organisational or social identity to your AARC account:
| 1. | Enter the following URL in a browser: https://aai-dev.egi.eu/registry |  |
| 2. | Click Login and authenticate using any of the login credentials already linked to your AARC account |  |
| 3. | Navigate to My AARC Pilot User Community Account page in any of the following ways:
|  |
| 4. | Under the Organisational Identities section of your profile page, click Link New Identity. |  |
| 5. | On the introductory page for Identity Linking, click Begin |  |
Components
- SimpleSAMLphp (version 1.14.5)
- simplesamlphp-module-openidconnect (commit affb54a)
- simplesamlphp-module-authfacebook (commit d8dc33c)
- simplesamlphp-module-authlinkedin (branch rc/authlinkedin)
- simplesamlphp-module-authorcid (master branch)
- COmanage Registry (version 1.0.4)
- Shibboleth (Service Provider version 2.5.3)
- Memcached (version 1.4.21)
- PostgreSQL (9.4)
- OpenStack