If available, add pilot logo
CTA Pilot Description
Some questions to answer:
What are the goals of this pilot?
Why is it in AARC project?
Il progetto si configura perfettamente all'interno di AARC perché ha l'obiettivo di risolvere le problematiche legate all'autenticazione di
una moltitudine di identità provenienti da idp differenti ma logicamente afferenti ad una stessa comunità scientifica e propone il riuso
di tecnologie esistenti senza stravolgere quanto già in essere nella realtà presa in esame
How this pilot will improve AARC community?
Nonostante il pilota proponga soluzioni specifiche per la comunità CTA la grande flessibilità degli strumenti utilizzati permette di variare la configurazione per andare a calzare
le necessità di autenticazione e autorizzazione per una qualsiasi realtà scientifica
Why should I use this pilot instead of other solutions?
...
Il pilot deve fornire una soluzione agli amministratori CTA che non stravolga i meccanismi in uso oramai collaudati.
Tra le novità introdotte vi sono le seguenti funzionalità:
- Registrazione self service sotto approvazione di un admin
- possibilità di account linking sotto approvazione di un admin
- integrazione semplice e trasparente per qualsiasi futuro servizio CTA
CTA is a community of astrophysics users which already had its own AAI solution in place, and represents for AARC, in this respect, a very good example of how to address the needs of a community who already developed an AAI. In this case their AAI solution was based on a SAML stand-alone, catch all Identity Provider, integrated with a Group management tool used for Authorization on selected service providers.
This pilot propose The goal of this pilot is to provide a non-invasive solution to simplify access to CTA services from eduGAIN and the CTA community.
The requirements which have been identified from the beginning to add the CTA community to the eduGAIN interferation, from the CTA perspective, are:
- Implement a user-friendly enrollment flow
- Manage both CTA and eduGAIN identities for users
- Link identities under administrator approval
- Keep supporting Grouper as the main authorization front end towards SPs
- Include guest identities (Social IDs) - (light requirement)
- Support OIDC RP - (light requirement)
The work which has been carried out in the CTA pilot of AARC is aimed at providing to the CTA community the eduGAIN authentication services ensuring at the same time a way to onboard this scientific community into eduGAIN. An infrastructure has been deployed based on the model proposed by the AARC Blueprint Architecture to enable the management of users coming from both eduGAIN Identity Providers and the CTA standalone IdP. The core component of the new infrastructure is the SATOSA IdP/SP proxy, as the central AAI layer to serve the CTA community of users. In addition to that, an external attribute authority (COmanage) has been plugged to the proxy, in order to manage user enrollment process, ensure injection of additional user authorization attributes, allow for account linking whenever appropriate, requested by the users and granted by the manager of the collaboration pilot should provide a solution to CTA administrator a solution that does not upset the mechanisms in use, because they are well know.
This pilot perfectly fit fits with AARC's goals:
- It help helps to solve issue issues related to authentication from different IdP IdPs but logically related to the same scientific community
- The proposed solution uses only existing technologies, without the need of creating new ones
- It does not change background of the global approach for the CTA community
Even if this pilot propose a solution for CTA community, its components high flexibility allow to change configuration, so every scientific reality that needs this solution can adapt it to their community.
With this, new features will be introduce:
- Self service registration under administrator approval
- Account linking solution, under administrator approval
- simple integration and transparency to any future CTA services.
Identity linking between the IDs of the current standalone CTA IDP and the eduGAIN ones are a relevant goal for this pilot.
A long term goal of this pilot is to moving CTA community from a stand-alone solution based on IdP to a fully federated one.
This part describes pilot's test phase, emphasizing progress and results.
The main objective is that a reader can easily understand the benefits achieved by using this pilot. Some examples or brief use cases are recommended.
Some questions to be answered:
Have you achieved your goals?
Any planned improvements for future releases?
Others
The proposed components within this pilot are highly flexible, which means that other scientific communities can easily adapt the components to fit their own authentication and authorization needs.
Pilot Implementation Phases
While onboarding the CTA community, to reach the desired AAI model (based on a central proxy and a community Attribute Authority (COmanage)), two main streams of work have been designed and implemented:
A) Provisioning into COmanage the already existing CTA identities inside the catch-all Identity Provider
To provision IDs of already existing CTA users into COmanage, we have made use of a temporary LDAP server and the LDAP user provisioning plugin of COmanage.
B) Model and implement an enrollment workflow for eduGAIN users (not already inside CTA IdP) - Functional integration of COmanage
The first step implemented in this phase of the pilot consisted of the integration of COmanage and Grouper. Grouper is a Group management tool used by the CTA community to manage Authorization. One of the requirements for CTA is to keep making use of this tool as a front end to their services. COmanage is a comprehensive Attribute Authority, managing the enrollment of users via their IdPs through different configurable workflows. For CTA user self-enrollment via a moderator admin user has been implemented.
CTA pilot Architecture
Results
The AARC CTA pilot system has been succesfully tested by the CTA AAI experts which have been able to succesfully authenticate and get authorized on specific CTA service providers.
The designed workflow, supported by the SaToSa proxy and its implemented microservices, has proven to work and be reliable, supporting the desired authentication and authorization processes.
The main benefits for the CTA community can be summarized as follows:
Succesfully exploited an architecture capable of onboarding the whole CTA community to the eduGAIN trust model and flows.
- Include COmanage and Grouper as community tools to support attribute management and highly grained authorization processes
- Succesfully integrating legacy and new Service Providers of interest for the CTA community
- Generation of the required ePUID as a unique, reliable identifier for the CTA users
- Linking of identities between already existing CTA IDs and eduGAIN identitfiers
All the orginal goals of the pilot have been reached.
In a following phase, social and eGov identities could be included via Identity Hub.
The AARC Blueprint Architecture was used as a model to design the pilot by clearly separating each component and its role in the system architecture. The pilot and its testbed will be maintained by INAF.