Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

We describe here the set up of the Social Identities pilot:  ( see bottom of this page for link to hands-on try it out page)

Pilot on Attribute Management and Guest integration is carried out in collaboration by Task1 and Task2 of SA1; Its goals are to demonstrate the actual inclusion of Guest Identities in the provisioning and consuming of Federated services.

More specifically, the main goal is to actually demonstrate how a user, provided with a Social Identity or an ORCID ID, can be Authorized to use a Cloud service ( Openstack Keystone configured as a SAML SP) provided her/his identity is known to a specific Virtual Organization ( or Collaboration).  The fact that a Social ID is registered inside a directory ( or an Attribute Authority)  ensures the user has been going through a process of vetting, succesfully passed, allowing her/him to be registered by an AA operated by a Collaboration. This contributes to enhance the LoA associated to the Social ID, and enables users to be Authorized on a specific SAML SP of relevance for the Collaboration itself.

 

The Pilot has been conceived to make use of Social Identities ( Google ID, FB ID..), an IDP/SP proxy bridgning OAuth2/OIDC and SAML,  an Attribute Authority (COMANAGE), providing additional attributes to the ID, and, on the Service Provider side, Openstack Keystone configured as a SAML Service Provider.

 

 

ComanageGuestPilot.gifImage Added

 

Social Identities need to be linked to eduGAIN federated ones;  Subsequently, they need to be enriched with Attributes entitling users to be authorized to SAML Service Providers.

 

Functional components:

1)  OAuth2/OIDC Identity Provider providing Claims   ( Is TEIP from GN4 an option at this stage)

2)  Identity Linking:  OIDC ID to SAML ID

3) Mapping  OIDC/OAuth  Claims to SALM Attributes to get Authorization attributes

4) Attribute Authorities to enrich Attribute Set (   COMANAGE,  Grouper, HEXXA, PERUN ..[] )

5) eduGAIN  SP to check AuthN/AuthZ against:   Openstack Keystone configured as SAML SP ( Federated Keystone )

 

HANDS ON FOR INTERESTED USERS TO TRY OUT:   External identity provider pilot