Page History

Software is not packaged, must be compiled, deployed and  configured by the admin

Good installation documentation

No modification to the software on resource side (e.g. standard SSH server can be used), only the proper configuration of authentication and authorization mechanisms must be performed (PAM-LDAP modules)

The web portal is complex -gives lots of functionality (resource management, group management, rules, statistics)

Lack of portal help/howto and general documentation (description of concepts etc.)

There is need for certain versions of underlying software, thus it is recommended to install some pieces manually

The piloting showed some issues with underlying software

Admin interface is not completely translated to English

Security aspects

The solution is correctly designed from the security point of view in general.

• The authentication to the resource is done against user's home IdP, but must be carefully configured (PAM module) otherwise the user may login using local password. (the authentication information is up to date)
• The ECP solution requires to  trust the resource provider, as password to IdP is passed through the service, other solutions lack this drawback.
• The user has to register to the resource and confirm terms and conditions (provider's interest is taken into account)
• There is no possibility to lock access to resource for unwanted user by resource/LDF administrator (the admin may deregister the user from the resource, but the user may register again himself).

Demo

The demo environment is available in public. It consists of two elements:

• LDAP Facade portal - SAML SP (https://ldap-facade.aarc-project.psnc.pl)
• Exemplary SSH service (rhus-143.man.poznan.pl)

The suggested workflow follows:

• Prior configuration:
  
  • User's IdP must be accepted by the SP and vice versa. SP metadata: metadata.xml.
  • Firewall to the resource must be opened for the user.
  • Please contact jankowsk@man.poznan.pl to configure the above.
• Register to the SSH service.
  • Login to the portal and register to the rhus-143.man.poznan.pl service.  Your account on that machine will be created automatically.
  • Click on "Registry Info" and check LocalUid.
  • Set (local) password for the service.
• Login to rhus-143.man.poznan.pl with LocalUid as username and password set in the previous step.

Resources

• LDAP Facade documentation: http://wiki.data.kit.edu/index.php/LDAP-Facade

• LDAP Facade development repository (used in the above demo): https://git.scc.kit.edu/jz9384/reg-app-dev.git

• LDAP Facade stable repository (used by bwIDM services): https://git.scc.kit.edu/simon/reg-app.git