CTA Pilot Description
The goal of this pilot is to provide a non-invasive solution to simplify access to CTA services from eduGAIN and the CTA community.
CTA pilot should provide a solution to CTA administrator that does not upset the mechanisms in use, because they are well known.
With this pilot, new features will be introduced:
- Self service registration under administrator approval
- Account linking solution, under administrator approval
- Simple integration and transparency to any future CTA service.
Identity linking between the IDs of the current standalone CTA IdP and the eduGAIN ones are a relevant goal for this pilot.
A long term goal of this pilot is to have the CTA community moving from a stand-alone AAI solution based on IdP to a fully federated one.
This pilot perfectly fits with AARC's goals:
- It helps to solve issues related to authentication from different IdPs but logically related to the same scientific community
- The proposed solution uses only existing technologies, without the need to creating new ones
- It does not change the global approach for the CTA community
Even if this pilot proposes a solution for the CTA community, its components high flexibility allow to change configuration, so every scientific reality that needs this solution can adapt it to their community, to fit their needs of authentication and authorization.
Pilot Implementation phases
This part describes pilot's test phase, emphasizing progress and results.
While onboarding the CTA community, to reach the desired AAI model (based on a central proxy and a community Attribute Authority (COmanage) ), two main streams of work have been designed and implemented:
A) Provisioning inside COmanage of already existing CTA IDs inside the CTA catch-all Identity Provider
To provision ID of already existing CTA users inside COmanage, we have made use of a temporary LDAP server and the LDAP user provisioning plugin of COmanage.
B) Model and implement an enrollment workflow for eduGAIN users ( not already inside CTA IdP) - Functional integration of COmanage
The frist step implemented in the phase of the pilot is the integration of COmanage and Grouper. Grouper is a Group management tool used by the CTA community to manage Authorization while connecting to their Service Providers. One of the requirements for CTA is to keep making use of this tool as a front end to their services. . COmanage is a comprehensive Attribute Authority, managing the enrollment of users via their IdPs through different cpnfigurable workflows. For CTA user self-enrollment via a moderator admin user has been implemented.
The main objective is that a reader can easily understand the benefits achieved by using this pilot. Some examples or brief use cases are recommended.
Some questions to be answered:
Have you achieved your goals?
Any planned improvements for future releases?
CTA pilot Architecture