Changes between Version 5 and Version 6 of FederatingWithGENI
- Timestamp:
- 02/05/16 08:31:04 (9 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
FederatingWithGENI
v5 v6 14 14 == Identity Federation == 15 15 16 Identity Federation is the act of trusting and sharing identity information about users between systems. As described below, other systems can share information about its users with GENI via Identity Provider integration, while GENI shares information about its users through OpenID . 17 16 18 === Identity Provider Integration === 17 19 18 Federating with GENI Identity 19 NTUA, CFE, UPMC, SAVI, Chameleon 20 Release Research and Scholarship (R&S) Attributes from your IDP 21 We give SP metadata to you, incoporate in your SAML meta-data as an SP you recognize 20 In order for GENI to authenticate a user, it needs an identity provider to release "Research and Scholarship" (R&S) attributes to GENI. Many academic institutions belong to the InCommon Identity federation and of these, many provide the R&S attributes. Such institutions automatically gain access to GENI. Other systems need to set up an identity provider that provides the appropriate attributes. 22 21 23 Then your people can log into GENI 22 If they do, GENI will include their Identity Provider (IdP) in its list of trusted IdP's. GENI in turn will provide its Identity Service Provider (SP) meta-data to your IdP so that your IdP recognizes GENI's SP. From there, a user from an outside institution can create a GENI account using single sign-on authentication to the GENI Portal via their IdP. 24 23 24 A number of systems, e.g. NTUA, Cafe, UPMC, SAVI, Chameleon have shared their identity information with GENI in this manner, allowing them to log into GENI services and use GENI resources. 25 26 More information about GENI's approach to Identity Provider Integration can be found at http://groups.geni.net/geni/wiki/InCommon/FederatingWithGENI. 25 27 26 28 === OpenID Integration === 27 29 28 You: OpenID Relying Party 29 Us: OpenID Identity Provider 30 Provide standard identity attributes (nickname, email) plus other attributes on request (e.g. project membership) 31 Set of tokens to ask for additional attributes 32 Send data about me to other services 30 A number of systems or services rely on GENI to provide identity attributes to it: they do not have their own IdP but wish to rely on GENI for identity information. 33 31 34 Already logged into Portal thorugh SHIB 32 GENI implements an OpenID Identity Provider. It will share standard identity attributes (e.g. user nickname, email) with services implementing the OpenID Relying Party protocol. Other attributes (e.g project membership) may be provided by GENI on request. 35 33 34 Only users who have already authenticated to the GENI Portal via the GENI or a federated IdP can share their GENI identity attributes via OpenID. 36 35 37 Authenticated already through SHIB 38 We hand off AUTHN Info 36 GENI is currently integrated via OpenID with the GENI Experimental Engine (GEE), the NYU WiTest Lab, LabWiki and Rutgers ORBIT Lab. 39 37 40 38 More information about GENI's approach to OpenID Integration can be found at http://groups.geni.net/geni/wiki/PortalOpenId. 41 39 42 40 == Control Plane Federation == … … 48 46 In order to federate a set of resources (racks, e.g.) with GENI, the owner of these resources must implement an Aggregate Manager service that presents these resources and allows allocation of these resources. Once this AM is in place, the AM must trust the GENI clearinghouse by including the GENI Clearinghouse CA certificate in its bundle of trusted roots. Once these steps are completed, GENI users will be able to share your resources through your aggregate manager. 49 47 48 More details about the GENI Aggregate Manager API can be found at http://groups.geni.net/geni/wiki/GAPI_AM_API_V2 and http://groups.geni.net/geni/wiki/GAPI_AM_API_V3, 49 50 50 === Clearinghouse === 51 51 52 52 Federating with GENI does not require implementing a Clearinghouse nor interacting with the GENI Clearinghouse (Aggregates do not speak to Clearinghouses). That said, the Clearinghouse maintains a registry of recognized and vetted services and having your Aggregate Manager listed in the GENI Clearinghouse Service Registry is a way of publicizing that you are making your Aggregate Manager (and thus your resources) available to GENI users. 53 54 More information about the GENI Federation/Clearinghouse API can be found at http://groups.geni.net/geni/wiki/CommonFederationAPIv2. 53 55 54 56 == Data Plane Federation == … … 64 66 === Stitching === 65 67 66