Changes between Version 5 and Version 6 of FederatingWithGENI

02/05/16 08:31:04 (8 years ago)



  • FederatingWithGENI

    v5 v6  
    1414== Identity Federation ==
     16Identity Federation is the act of trusting and sharing identity information about users between systems. As described below, other systems can share information about its users with GENI via Identity Provider integration, while GENI shares information about its users through OpenID .
    1618=== Identity Provider Integration ===
    18         Federating with GENI Identity
    19         NTUA, CFE, UPMC, SAVI, Chameleon
    20         Release Research and Scholarship (R&S) Attributes from your IDP
    21         We give SP metadata to you, incoporate in your SAML meta-data as an SP you recognize
     20In order for GENI to authenticate a user, it needs an identity provider to release "Research and Scholarship" (R&S) attributes to GENI. Many academic institutions belong to the InCommon Identity federation and of these, many provide the R&S attributes. Such institutions automatically gain access to GENI. Other systems need to set up an identity provider that provides the appropriate attributes.
    23         Then your people can log into GENI
     22If they do, GENI will include their Identity Provider (IdP) in its list of trusted IdP's. GENI in turn will provide its Identity Service Provider (SP) meta-data to your IdP so that your IdP recognizes GENI's SP. From there, a user from an outside institution can create a GENI account using single sign-on authentication to the GENI Portal via their IdP.
     24A number of systems, e.g. NTUA, Cafe, UPMC, SAVI, Chameleon have shared their identity information with GENI in this manner, allowing them to log into GENI services and use GENI resources.
     26More information about GENI's approach to Identity Provider Integration can be found at
    2628=== OpenID Integration ===
    28         You: OpenID Relying Party
    29         Us: OpenID Identity Provider
    30         Provide standard identity attributes (nickname, email) plus other attributes on request (e.g. project membership)
    31                 Set of tokens to ask for additional attributes
    32                 Send data about me to other services
     30A number of systems or services rely on GENI to provide identity attributes to it: they do not have their own IdP but wish to rely on GENI for identity information.
    34         Already logged into Portal thorugh SHIB
     32GENI implements an OpenID Identity Provider. It will share standard identity attributes (e.g. user nickname, email) with services implementing the OpenID Relying Party protocol. Other attributes (e.g project membership) may be provided by GENI on request.
     34Only users who have already authenticated to the GENI Portal via the GENI or a federated IdP can share their GENI identity attributes via OpenID.
    37         Authenticated already through SHIB
    38         We hand off AUTHN Info
     36GENI is currently integrated via OpenID with the GENI Experimental Engine (GEE), the NYU WiTest Lab, LabWiki and Rutgers ORBIT Lab.
     38More information about GENI's approach to OpenID Integration can be found at
    4240== Control Plane Federation ==
    4846In order to federate a set of resources (racks, e.g.) with GENI, the owner of these resources must implement an Aggregate Manager service that presents these resources and allows allocation of these resources. Once this AM is in place, the AM must trust the GENI clearinghouse by including the GENI Clearinghouse CA certificate in its bundle of trusted roots. Once these steps are completed, GENI users will be able to share your resources through your aggregate manager.
     48More details about the GENI Aggregate Manager API can be found at and,
    5050=== Clearinghouse ===
    5252Federating with GENI does not require implementing a Clearinghouse nor interacting with the GENI Clearinghouse (Aggregates do not speak to Clearinghouses). That said, the Clearinghouse maintains a registry of recognized and vetted services and having your Aggregate Manager listed in the GENI Clearinghouse Service Registry is a way of publicizing that  you are making your Aggregate Manager (and thus your resources) available to GENI users.
     54More information about the GENI Federation/Clearinghouse API can be found at
    5456== Data Plane Federation ==
    6466=== Stitching ===