I met with Supun and Anuj today to discuss how to best integrate WSO2 Identity
Server (IS) with CILogon’s OpenID Connect service .
The main outline of the solution Supun has been working toward is something
* PGA redirects to IS with an authorization code grant type
* configure IS to federate authentication with CILogon
* once authenticated via CILogon IS will Just-in-Time provision users in its
* IS redirects back to PGA with an authentication code, which PGA uses to get
an access token
The main bug Supun ran into with IS is that the user accounts created
Just-in-Time have a User ID like "/cilogon.org/serverA/users/30781”. This is
not a very friendly username to display to users, nor useable for admins or for
auditing purposes. IS theoretically allows you to map another claim to the
User ID, but attempts to configure it as such didn’t work.
The solution we came up with in our meeting is to have a user ID and a username
in the new User Profile model. The user ID will match IS’s user ID. The
username will be something that the user picks when creating their User Profile
and will be the username displayed in PGA.
When a new user authenticates and IS redirects back to PGA, PGA will prompt the
user to create a User Profile at which time the user will pick a username. We
could prefill the username field with the user’s email address (or just the
username portion of the email address).
 - http://www.cilogon.org/oidc