You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 28 Next »

CTA Pilot Description

CTA is a community of astrophysics users which already had its own AAI solution in place, and represents for AARC, in this respect, a very good example of how to address the needs of a community who already developed an AAI, in their case based on a SAML stand-alone, catch all Identity Provider, integrated with a Group management tool used for Authorization on selected services providers.

This pilot propose to provide a non-invasive solution to simplify access to CTA services from eduGAIN and the CTA community.

The requirements which have been identified from the beginning to add the CTA  community to the eduGAIN interferation, from the CTA perspective, are the following ones:

  • Implement a user-friendly user enrollment flow
  • Manage both CTA and eduGAIN identities for users
  • Link identities under administrator approval
  • Keep supporting Grouper as the main authorization front end towards their SP / services 
  • Include guest identities ( Social IDs) - [ light requirement ]
  • Support OIDC RP - [ light requirement ]

The work which has been carried out in the CTA pilot of AARC is aimed at onboarding the CTA community into eduGAIN. An infrastructure has beed deployed based on the model proposed by the AARC Blueprint Architecture to enable the management of users coming from both eduGAIN Identity Providers and the CTA standalone IdP; The core component of the new infratstrucure is the SATOSA IdP/SP proxy, as the central AAI layer to serve the CTA community of users.  In addition to that, an external attribute authority (COmanage) has been plugged to the  proxy, in order to manage user enrollment process, ensure injection of additional user authorization attributes,  allow for account linking whenever appropriate, requested by the users and granted by the manager of the collaboration.


This pilot perfectly fits with AARC's goals:

  • It helps to solve issues related to authentication from different IdPs but logically related to the same scientific community
  • The proposed solution uses only existing technologies, without the need to creating new ones
  • It does not change the global approach for the CTA community

Even if this pilot proposes a solution for the CTA community, its components high flexibility allow to change configuration, so every scientific reality that needs this solution can adapt it to their community, to fit their needs of authentication and authorization.

Pilot Implementation phases 

While onboarding the CTA community, to reach the desired AAI model (based on a central proxy and a community Attribute Authority (COmanage) ), two main streams of work have been designed and implemented:

A)  Provisioning inside COmanage of already existing CTA IDs inside the CTA catch-all Identity Provider

To provision ID of already existing CTA users inside COmanage, we have made use of a temporary LDAP server  and the LDAP user provisioning plugin of COmanage.

   

B) Model and implement an enrollment workflow for eduGAIN users ( not already inside CTA IdP)  -  Functional integration of COmanage

The frist step implemented in the phase of the pilot is the integration of COmanage and Grouper.  Grouper is a Group management tool used by the CTA community to manage Authorization while connecting to their Service Providers. One of the requirements for CTA is to keep making use of this tool as a front end to their services. . COmanage is a comprehensive Attribute Authority, managing the enrollment of users via their IdPs through different cpnfigurable workflows. For CTA user self-enrollment via a moderator admin user has been implemented.

CTA pilot Architecture

  • No labels