...
- Petitioner Enrollment Authorization: Authenticated User
- Identity Matching: None
- Require Approval For Enrollment: Yes
- Email Confirmation Mode: Review
- Require Enrollee Authentication: Yes
- Notify On Approved Status: Yes
- Approval Email Body: The approval message can be configured to include the information necessary to login to the server, by referencing the known server address and the assigned identifier (configured below). Here is a sample message:
Your request for access to (@CO_NAME) has been approved!
In order to access our Linux VM, you must do the following:
(1) Login to https://co.pilots.aarc-project.eu/registry
(2) From the dropdown menu with your name (at the top,
near the logout button), select "My AARC Demo VO Identity".
(3) Scroll down to "SSH Keys" and click "Add".
(4) Upload your SSH Key.You will now be able to login to 145.100.181.52.
- Enrollment Attributes
- Name, Official, Organizational Identity, Copy To CO Person, Required
- Email, Official, Organizational Identity, Required
- Affiiliation
- Other attributes as desired
- COmanage can be configured to prepopulate with certain attributes released from the home IdP.
Next, configure identifier assignment. Because the Unix account provisioning support is currently experimental, it is necessary to use identifier assignment to set up some of the attributes used by the posixAccount schema. (It may be necessary to define some of these types as extended types before the identifier assignments can be configured.) Sample identifier assignments:
...
- https://github.com/AndriiGrytsenko/openssh-ldap-publickey
- https://linux.die.net/man/8/ssh-ldap-helper
Usage
Enrollment takes place with the following steps:
- Assuming the self signup enrollment flow, the researcher begins the flow by authenticating using their home IdP. If the IdP is configured to release attributes and COmanage is appropriately configured, those attributes will be prepopulated into the signup form. Otherwise, and for any additional attributes, the researcher completes the signup form.
- The researcher will be asked to confirm control of their asserted email address by clicking a link sent to it.
- The collaboration administrator reviews the application and approves the enrollment.
- Once approved, COmanage will assign a login ID and write the researcher's record to the LDAP server, effectively creating the researcher's Unix account. As part of the approval process, a notification is sent to the researcher regarding the approval and including the login ID and server address.
- The researcher logs into COmanage and uploads their SSH public key.
- COmanage adds the public key to the LDAP record.
- The research may now log in to the Unix server, using the provided address, login ID, and their existing SSH private key.
xxx enroll, upload ssh keys, login to VM
Resources
...