We describe here the set up of the Social Identities pilot
PIlot on Attribute Management and Guest integration is carried out in collaboration by Task1 and Task2 of SA1; Its goals are to demonstrate the actual inclusion of Guest Identities in the provisioning and consuming of Federated services.
More specifically, the main goal is to actually demonstrate how a user, provided with a Social Identity or an ORCID ID, can be Authorized to use a Cloud service ( Openstack Keystone configured as a SAML SP) provided her/his identity is known to a specific Virtual Organization ( or Collaboration). The fact that a Social ID is registered inside a directory ( or an Attribute Authority) ensures the user has been going through a process of vetting, succesfully passed, allowing her/him to be registered by an AA operated by a Collaboration. This contributes to enhance the LoA associated to the Social ID, and enables users to be Authorized on a specific SAML SP of relevance for the Collaboration itself.
The Pilot has been conceived to make use of Social Identities ( Google ID, FB ID..), an IDP/SP proxy bridgning OAuth2/OIDC and SAML, an Attribute Authority (COMANAGE), providing additional attributes to the ID, and, on the Service Provider side, Openstack Keystone configured as a SAML Service Provider.
Social Identities need to be linked to eduGAIN federated ones; Subsequently, they need to be enriched with Attributes entitling users to be authorized to SAML Service Providers.
Possible functional components:
1) OAuth2/OIDC Identity Provider providing Claims ( Is TEIP from GN4 an option at this stage)
2) Identity Linking: OIDC ID to SAML ID
3) Mapping OIDC/OAuth Claims to SALM Attributes to get Authorization attributes
4) Attribute Authorities to enrich Attribute Set ( COMANAGE, Grouper, HEXXA, PERUN ..[] )
5) eduGAIN SP to check AuthN/AuthZ against
HANDS ON FOR INTERESTED USERS TO TRY OUT: SocialIDCockpitPanel