...
Once approved, they will be notified via email - Once approved they will be able to access the dashborddashboard
User Workflow for interested users:
- User accesses the Openstack Dashboard to use the Openstack cluster configured as a SAML SP: ( User lands to the Sign up page, either directly or indirectly )
- He opens the web page
...
...
- for horizon at https://am02.pilots.aarc-project.eu/horizon .
- User selects either HO IdP (
...
- trivial use case in this pilot) or a Social Link page - Social IDPs
...
- : ( FB, Linkedin, Google, ORCID)
- User select Social IDPs or ORCID
- User is redirected to the Sign In page of the IDP : Google Login for example
- IDP proxy sends information to COMANAGE (SP) inside a SAML assertion
...
- According to the LoA user is faced to 2 options:
- The workflows implements 2 operational options, then :
- LoA is enough ---->
...
- Registration SELF-SERVICE Registration inside COMANAGE ( Self Service
...
- Flow in COMANAGE - when user coming from eduGAIN IDP
...
- -
...
- i.e. if the upstream IDP supports R & S --> automatic attribute exchange )
- If the
...
- upstream IDP cannot provide all attributes, or if the IDP is social ( = Affiliation Attribute is missing) --> user asked to provide himself the affiliation ( --> user asserted)
- The Registration process will therefore
...
- in this second case also inform the Sponsor of the VO : " user John Smith asked for registration on the COMANAGE collaboration " )
- The Sponsor user has to approve the request via https://am03.pilots.aarc-project.eu/registry/ ( thus triggering a specific enrolloment process -
...
- approval based registration within COMANAGE)
- The user email shows up inside
...
- COMANAGE -
...
- Subject Identifier retained by Google - Unique, Persistent, non-Reassignable (not the email address of google)
- The connector passes this IDP to the IDP/SP
...
- proxy ( The PX generated an opaque ID in Google --> Sent to COMANAGE SP the EGI-ID (proxy generated one)
...
- ) - COMANAGE does not store the Google ID , but the EGI SP generated one. This acts as primary key.
- When the user
...
- tries to login on the SP - openstack dashboard - URL of EGI pilot openstack -
...
- https://am02.pilots.aarc-project.eu/horizon .
- he logs in with his google
...
- account :
- Mapped to keystone: Mapping is based on eduPersonEntitlement or MemberOf(). We also add the membership to specific collaborations inside COMANAGE in the mapping.
- In the pilot we mapped user afiflitation to a keystone Group ; next experiment: map Entitlement to a Group. What if a user does not have nor Entitlement or Affiliation
- ---> no registration finished ==> no service for him
- It the registration is succesfull, " a Social Guest keystone project/tenant" available for him. [ later on will structure
...
===> Performances issues
=================================================== WF is done ==========================================================
===========================================================================
Invitation based flow
===========================================================================
Account link
=======================================================================================================================
- this into admin and user roles in keystone] -