...
Following discussions within the LSC it was decided that the pilot would deploy SATOSA create a SAML proxy between the eduGAIN institutional identity providers and the LSC's service providers. This would allow LSC and Virgo members to use their institutional credentials to access LSC resources directly. Institutional identifies would be mapped to a user's albert.einstein identity via a internal account linking, and LIGO specific information; in particular group and identity information would be used to annotate the account. SATOSA will act as the central SAML Proxy of the project, while pyFF will be used to aggregate SAML metadata from EduGAIN and the LSC, and also provide the discovery service interface.
Components
| Component | Description | Technology |
|---|
| Why did we choose it |
|---|
| SAML Proxy |
| SAML IdP to SAML SP Proxy | SATOSA | Popular Python based package that includes services for adding attributes from external source |
| Metadata aggregation |
| Aggregate and process SAML metadata from multiple sources | PyFF | Popular Python based package that allows you to customise SAML metadata processing and also supports Metadata Query Service |
| Discovery Service |
| Present list of IdPs to user | PyFF | PyFF already used to aggregate metadata, and includes a good, theme-able discovery service interface | |
| Attribute Store |
| Source of additional user attributes and group membership | Grouper + LDAP | LSC user group membership and extended attributes already managed and stored in Grouper | |
| Account Linking Service |
| Link institutional IdP |
| identity to LSC user |
...
| identity | COManage | COManage provides workflows for linking accounts and is already used with the GW Astronomy community for collaboration management. |
...
Architecture
SATOSA
...
PyFF Discovery Service
...
Use Cases
Successful Federated Identity Login
| Step | Action | Screenshot |
|---|---|---|
| 1 | Visit SP Website and select Satosa SAML Proxy from the list of IdPs |
|
| 2 | Select Home IdP from DS |
|
| 3 | Login at Institutional IdP |
|
| 4 | Access SP |
|
...
| Step | Action | Screenshot |
|---|---|---|
| 1 | Visit SP Website and select Satosa SAML Proxy from the list of IdPs |
|
| 2 | Select Home IdP from DS |
|
| 3 | Login at Institutional IdP |
|
| 4 | Account Linking |
|
| 5 | Access SP |
|
...