CTA Pilot Description
CTA is a community of astrophysics users which already had its own AAI solution in place, and represents for AARC, in this respect, a very good example of how to address the needs of a community who already developed an AAI, in their case . In this case their AAI solution was based on a SAML stand-alone, catch all Identity Provider, integrated with a Group management tool used for Authorization on selected services service providers.
This pilot propose to provide a non-invasive solution to simplify access to CTA services from eduGAIN and the CTA community.
CTA pilot should provide a solution to CTA administrator that does not upset the mechanisms in use, because they are well known.
The requirements which have been identified from the beginning to add the CTA community to the eduGAIN interferation, from the CTA perspective, are the following ones:
- Implement a user-friendly user enrollment flow
- Manage both CTA and eduGAIN identities for users
- Link identities under administrator approval
- Keep supporting Grouper as the main authorization front end towards their SP / services SPs
- Include guest identities (Social IDs) - [ (light requirement ])
- Support OIDC RP - [ (light requirement ])
The work which has been carried out in the CTA pilot of AARC is aimed at onboarding providing to the CTA community into community the eduGAIN authentication services ensuring at the same time a way to onboard this scientific community into eduGAIN. An infrastructure has beed been deployed based on the model proposed by the AARC Blueprint Architecture to enable the management of users coming from both eduGAIN Identity Providers and the CTA standalone IdP; . The core component of the new infratstrucure infrastructure is the SATOSA IdP/SP proxy, as the central AAI layer to serve the CTA community of users. In addition to that, an external attribute authority (COmanage) has been plugged to the proxy, in order to manage user enrollment process, ensure injection of additional user authorization attributes, allow for account linking whenever appropriate, requested by the users and granted by the manager of the collaboration.
...
- It helps to solve issues related to authentication from different IdPs but logically related to the same scientific community
- The proposed solution uses only existing technologies, without the need to of creating new ones
- It does not change the global approach for the CTA community
Even if this pilot proposes a solution for the CTA community, its components high flexibility allow to change configuration, so every scientific reality that needs this solution can adapt it to their community, to fit their needs of authentication and authorizationThe proposed components within this pilot are highly flexible, which means that other scientific communities can easily adapt the components to fit their own authentication and authorization needs.
Pilot Implementation
...
Phases
This part describes pilot's test phase, emphasizing progress and results.
While onboarding the CTA community, to reach the desired AAI model (based on a central proxy and a community Attribute Authority (COmanage)), two main streams of work have been designed and implemented:
A)
...
Provisioning
...
into COmanage
...
the already existing CTA
...
identities inside the
...
catch-all Identity Provider
To provision ID IDs of already existing CTA users inside into COmanage, we have made use of a temporary LDAP server server and the LDAP user provisioning plugin of COmanage.
B) Model and implement an enrollment workflow for eduGAIN users (not already inside CTA IdP) - Functional integration of COmanage
The frist first step implemented in the this phase of the pilot is consisted of the integration of COmanage and Grouper. Grouper is a Group management tool used by the CTA community to manage Authorization while connecting to their Service Providers. One of the requirements for CTA is to keep making use of this tool as a front end to their services. . COmanage is a comprehensive Attribute Authority, managing the enrollment of users via their IdPs through different cpnfigurable configurable workflows. For CTA user self-enrollment via a moderator admin user has been implemented.
CTA pilot Architecture
Results
The AARC CTA pilot system has been succesfully tested by the CTA AAI experts which have been able to succesfully authenticate and get authorized on specific CTA service providers.
The designed workflow, supported by the SaToSa proxy and its implemented microservices, has proven to work and be reliable, supporting the desired authentication and authorization processes.
The main objective is that a reader can easily understand the benefits achieved by using this pilot. Some examples or brief use cases are recommended.
Some questions to be answered:
Have you achieved your goals?
Any planned improvements for future releases?
CTA pilot Architecture
benefits for the CTA community can be summarized as follows:
Succesfully exploited an architecture capable of onboarding the whole CTA community to the eduGAIN trust model and flows.
- Include COmanage and Grouper as community tools to support attribute management and highly grained authorization processes
- Succesfully integrating legacy and new Service Providers of interest for the CTA community
- Generation of the required ePUID as a unique, reliable identifier for the CTA users
- Linking of identities between already existing CTA IDs and eduGAIN identitfiers
All the orginal goals of the pilot have been reached.
In a following phase, social and eGov identities could be included via Identity Hub.
The AARC Blueprint Architecture was used as a model to design the pilot by clearly separating each component and its role in the system architecture. The pilot and its testbed will be maintained by INAF.