On Nov 22, 2012, at 4:10 PM, Amila Jayasekara <[email protected]> wrote:
> Hi Suresh, > > How should we associate gateway id with user id if user store resides > outside of Airavata ? > > Is it ok to assume that a gateway id is associated with a single > external user store ? In that case we can associate gateway id with > the user store configuration. Hi Amila, Yes, this sounds reasonable right? Since we are assuming gateways do the authorization and send user identity to Airavata, I think its safe to assume each gateway has one user store. Gateways might support open id, incommon like federated identities, but in the end the gateway/portal has to keep the mapping. These assumptions might change as we see more use cases, but as of now, these seem to suffice. Cheers, Suresh > > Thanks > Amila > > On Thu, Nov 22, 2012 at 2:26 PM, Suresh Marru <[email protected]> wrote: >> On Nov 22, 2012, at 1:10 PM, Amila Jayasekara <[email protected]> >> wrote: >> >>> Hi Suresh, >>> >>> I do prefer gateway DNS name formats such as "gateway.airavata.org" >>> (Due to its simplicity compared to entity ids). >> >> I did not pay attention to the SAML requirements for entity id's as >> discussed in the links I sent earlier. But if it doesn't matter, I am + 1 >> for using "gateway.airavata.org", this looks much more elegant. >> >> Suresh >> >>> But in either case >>> there wont be any changes to the logic we are doing at authentication >>> stage. Maybe we need to further investigate to figure out what is most >>> appropriate as a gateway id. >>> >>> Thanks >>> Amila >>> >>> On Thu, Nov 22, 2012 at 12:41 PM, Suresh Marru <[email protected]> wrote: >>>> On Nov 22, 2012, at 12:25 PM, Amila Jayasekara <[email protected]> >>>> wrote: >>>> >>>>> Hi All, >>>>> >>>>> We need to send gateway name together with user name for >>>>> authentication at Airavata service level. We are thinking of using >>>>> following syntax for this, >>>>> >>>>> username@gatwayId >>>>> >>>>> So "@" will be a separator for gateway id and user name. In addition >>>>> we do authentication based on the gateway id. I am planning to >>>>> incorporate this change to existing security implementation. If you >>>>> have any objections/feedback please let us know. >>>> >>>> Hi Amila, >>>> >>>> Yes this sounds fine to me. But it will work under the assumption of >>>> gateway id being unique. May be we can maintain a wiki page with >>>> registered gateway id's. Can you please refer to [1] which discuss this >>>> issues of mapping end users with gateway identifiers. >>>> >>>> If you refer to examples at [2], are you proposing to create Entity ID's >>>> or Gateway DNS Domain in the format gateway.airavata.org? >>>> >>>> Cheers, >>>> Suresh >>>> >>>> [1] - >>>> http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes >>>> [2] - >>>> http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes_Status >>>> >>>> >>
