Changes between Version 5 and Version 6 of FederatingWithGENI


Ignore:
Timestamp:
02/05/16 08:31:04 (9 years ago)
Author:
mbrinn@bbn.com
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • FederatingWithGENI

    v5 v6  
    1414== Identity Federation ==
    1515
     16Identity Federation is the act of trusting and sharing identity information about users between systems. As described below, other systems can share information about its users with GENI via Identity Provider integration, while GENI shares information about its users through OpenID .
     17
    1618=== Identity Provider Integration ===
    1719
    18         Federating with GENI Identity
    19         NTUA, CFE, UPMC, SAVI, Chameleon
    20         Release Research and Scholarship (R&S) Attributes from your IDP
    21         We give SP metadata to you, incoporate in your SAML meta-data as an SP you recognize
     20In order for GENI to authenticate a user, it needs an identity provider to release "Research and Scholarship" (R&S) attributes to GENI. Many academic institutions belong to the InCommon Identity federation and of these, many provide the R&S attributes. Such institutions automatically gain access to GENI. Other systems need to set up an identity provider that provides the appropriate attributes.
    2221
    23         Then your people can log into GENI
     22If they do, GENI will include their Identity Provider (IdP) in its list of trusted IdP's. GENI in turn will provide its Identity Service Provider (SP) meta-data to your IdP so that your IdP recognizes GENI's SP. From there, a user from an outside institution can create a GENI account using single sign-on authentication to the GENI Portal via their IdP.
    2423
     24A number of systems, e.g. NTUA, Cafe, UPMC, SAVI, Chameleon have shared their identity information with GENI in this manner, allowing them to log into GENI services and use GENI resources.
     25
     26More information about GENI's approach to Identity Provider Integration can be found at http://groups.geni.net/geni/wiki/InCommon/FederatingWithGENI.
    2527
    2628=== OpenID Integration ===
    2729
    28         You: OpenID Relying Party
    29         Us: OpenID Identity Provider
    30         Provide standard identity attributes (nickname, email) plus other attributes on request (e.g. project membership)
    31                 Set of tokens to ask for additional attributes
    32                 Send data about me to other services
     30A number of systems or services rely on GENI to provide identity attributes to it: they do not have their own IdP but wish to rely on GENI for identity information.
    3331
    34         Already logged into Portal thorugh SHIB
     32GENI implements an OpenID Identity Provider. It will share standard identity attributes (e.g. user nickname, email) with services implementing the OpenID Relying Party protocol. Other attributes (e.g project membership) may be provided by GENI on request.
    3533
     34Only users who have already authenticated to the GENI Portal via the GENI or a federated IdP can share their GENI identity attributes via OpenID.
    3635
    37         Authenticated already through SHIB
    38         We hand off AUTHN Info
     36GENI is currently integrated via OpenID with the GENI Experimental Engine (GEE), the NYU WiTest Lab, LabWiki and Rutgers ORBIT Lab.
    3937
    40 
     38More information about GENI's approach to OpenID Integration can be found at http://groups.geni.net/geni/wiki/PortalOpenId.
    4139
    4240== Control Plane Federation ==
     
    4846In order to federate a set of resources (racks, e.g.) with GENI, the owner of these resources must implement an Aggregate Manager service that presents these resources and allows allocation of these resources. Once this AM is in place, the AM must trust the GENI clearinghouse by including the GENI Clearinghouse CA certificate in its bundle of trusted roots. Once these steps are completed, GENI users will be able to share your resources through your aggregate manager.
    4947
     48More details about the GENI Aggregate Manager API can be found at http://groups.geni.net/geni/wiki/GAPI_AM_API_V2 and http://groups.geni.net/geni/wiki/GAPI_AM_API_V3,
     49
    5050=== Clearinghouse ===
    5151
    5252Federating with GENI does not require implementing a Clearinghouse nor interacting with the GENI Clearinghouse (Aggregates do not speak to Clearinghouses). That said, the Clearinghouse maintains a registry of recognized and vetted services and having your Aggregate Manager listed in the GENI Clearinghouse Service Registry is a way of publicizing that  you are making your Aggregate Manager (and thus your resources) available to GENI users.
     53
     54More information about the GENI Federation/Clearinghouse API can be found at http://groups.geni.net/geni/wiki/CommonFederationAPIv2.
    5355
    5456== Data Plane Federation ==
     
    6466=== Stitching ===
    6567
    66