You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

HANDS ON FOR INTERESTED USERS

The Social Identities pilots aims at demonstrating possible mechanisms to include Social Identities ( FB, Google, Linkedin..) in the Authentication and Authorization process for consuming federated services  (SAML SPs), exploiting mechanisms to enhance the LoA of the users.

The architecture implemented by the pilot provides an IDP/SP proxy which bridges the external ID providers through the usage of an Attribute Authority (COMANAGE).

At this purpose we have set up a specific collaboration inside COMANAGE, which acts as Attribute Authority, integrating the basic attributes

A VO sponsor is the admin of that Collaboration :  identities are managed by the admin in the COMANGE admin interface at  https://am03.pilots.aarc-project.eu/registry/

Users will need to access the openstack dashboard - ARAC instance at EGI ; They will be re-directed to the WAYF offering different IDPs; They will select on of the social ones ( e.g. Google ), and be then faced with their Google login page. 

Once logged in, they will be displayed a message stating their request for subscription to the COMANAGE- collaboration requires approval by the VO Sponsor (and be informed of this also via email ).

 Once approved, they will be notified via email - Once approved they will be able to access the dashboard

 

User Workflow for interested users:

1.Access the Openstack Dashboard to use the Openstack cluster configured as a SAML SP at https://am02.pilots.aarc-project.eu/horizon
2.

Click Connect and select your Identity Provider from the discovery page (WAYF). You may select any of the following options:

  • Institutional IdP: AARC DIY Identity Provider (considered an official IdP for demo purposes only)
  • Social IdPs: Facebook, Google, LinkedIn
  • ORCID
3.You will be redirected to the Sign In page of your IdP (e.g. Google)
4.

If this is your first time logging in, you will be redirected to the AARC Pilot User Community Sign Up page after succesful authentication. Alternatively, you may access the sign up page directly by visiting:

https://aai-dev.egi.eu/join-aarc

5.

Depending on the LoA and/or attributes released by your Home IdP, there are two sign up workflows:

  1. If the LoA is substantial and all required attributes are released: Self-service Sign Up (typically for users coming from eduGAIN IdPs, or the AARC DIY Identity Provider for the purpose of this demo)
  2. If the upstream IdP cannot provide all attributes, or the LoA is low: Approval-based Sign Up. For example, in the case of Social IdPs the Affiliation Attribute will be missing; thus, you will be asked to provide any missing attribute values yourself.
 
6.

If your sign up request requires approval (second workflow), the Sponsors of the VO will be notified via email

 
7.One of the Sponsor users has to approve your request via the COmanage Registry at https://aai-dev.egi.eu/registry 
8.

After approval, your account will be activated in COmanage -  Subject Identifier retained by Google - Unique, Persistent, non-Reassignable (not the email address of google)

 
9.Relogin to OpenStack's dashboard at https://am02.pilots.aarc-project.eu/horizon 
10.

You will be mapped to a Keystone group based on the values of the eduPersonEntitlement attribute

 
  • No labels