CTA Pilot Description
CTA is a community of astrophysics users which already had its own AAI solution in place, and represents for AARC, in this respect, a very good example of how to address the needs of a community who already developed an AAI, in their case based on a SAML stand-alone, catch all Identity Provider, integrated with a Group management tool used for Authorization on selected services providers.
This pilot propose The goal of this pilot is to provide a non-invasive solution to simplify access to CTA services from eduGAIN and the CTA community.
CTA pilot should provide a solution to CTA administrator that does not upset the mechanisms in use, because they are well known.
With this pilot, new features will be introduced:
- Self service registration under administrator approval
- Account linking solution, under administrator approval
- Simple integration and transparency to any future CTA service.
Identity linking between the IDs of the current standalone CTA IdP and the eduGAIN ones are a relevant goal for this pilot.
The requirements which have been identified from the beginning to add the CTA community to the eduGAIN interferation, from the CTA perspective, are the following ones:
- Implement a user-friendly user enrollment flow
- Manage both CTA and eduGAIN identities for users
- Link identities under administrator approval
- Keep supporting Grouper as the main authorization front end towards their SP / services
- Include guest identities ( Social IDs) - [ light requirement ]
- Support OIDC RP - [ light requirement ]
The work which has been carried out in the CTA pilot of AARC is aimed at onboarding the CTA community into eduGAIN. An infrastructure has beed deployed based on the model proposed by the AARC Blueprint Architecture to enable the management of users coming from both eduGAIN Identity Providers and the CTA standalone IdP; The core component of the new infratstrucure is the SATOSA IdP/SP proxy, as the central AAI layer to serve the CTA community of users. In addition to that, an external attribute authority (COmanage) has been plugged to the proxy, in order to manage user enrollment process, ensure injection of additional user authorization attributes, allow for account linking whenever appropriate, requested by the users and granted by the manager of the collaborationA long term goal of this pilot is to have the CTA community moving from a stand-alone AAI solution based on IdP to a fully federated one.
This pilot perfectly fits with AARC's goals:
...