Architecture
Source: acrhitecture.odg
SP admin flows
Register a new SP
1a) copy/past metadata into text box
test: is it really XML?
-> if not: error
or
1b) point to metadata URL
test: check if URL exists
→ if not: error
2) test: check if metadata has
- entityID present?
- technical contact email present?
- ACS location present?
→ if not: error
3) resolve captcha
4) press register button
Start registration
1) generate SHA256 token from IP + timestamp + entitID
test: Do not allow an existing entityID to be claimed with a new email
if → throw an error
2 ) send email with token to tech contact
e.g. return URL: https://testidp.incibator.geant.org/register.php?token=dsjklzJK98edjlkqwJIDSA
2) write to db table "registration":
- generated token (key)
- email adress
- entityID
- timestamp
- ip adress
- metadata as an XML blob
- registration statusstatus ("email send", registration complete")
First time user login
1) User returns to https://testidp.incibator.geant.org/register.php?token=dsjklzJK98edjlkqwJIDSA
test: Check if this token is registered in the DB for this email, if not -> error
2) The user is now "logged in" for time X
3) Move over XML metadata to "martin" table" (registration data gets removed)
4) Optionally: additional field to be filled in? → Check with Martin
5) Your IdP is ready at : https://...
Show pointer to metadata
Show metadata to be copied
Show URL?
Show text explaining how to use frontend login screen
Below TBD
Returning to admin interface to modify SP
- 'login' vio email token
- lookup your own SP?
- confimation?
2 Comments
Alan Lewis
I'm not sure that registration is a part of the admin flow. I was thinking that the admin flow was mainly around monitoring and managing the multi-tenanted platform and that we have a separate user flow for things such as registration. Perhaps my confusion is that I'm thinking of the flows in terms of roles (administrator role, SP user role) and we are using them here ( I think) in a functional sense.
Niels van Dijk
Well it says "SP admin", but I do get the confusion. Perhaps call it "Service Provider Owner"?