I met with Supun and Anuj today to discuss how to best integrate WSO2 Identity 
Server (IS) with CILogon’s OpenID Connect service [1].

The main outline of the solution Supun has been working toward is something 
like this:
* PGA redirects to IS with an authorization code grant type
* configure IS to federate authentication with CILogon
* once authenticated via CILogon IS will Just-in-Time provision users in its 
local database
* IS redirects back to PGA with an authentication code, which PGA uses to get 
an access token

The main bug Supun ran into with IS is that the user accounts created 
Just-in-Time have a User ID like "/”.  This is 
not a very friendly username to display to users, nor useable for admins or for 
auditing purposes.  IS theoretically allows you to map another claim to the 
User ID, but attempts to configure it as such didn’t work.

The solution we came up with in our meeting is to have a user ID and a username 
in the new User Profile model.  The user ID will match IS’s user ID. The 
username will be something that the user picks when creating their User Profile 
and will be the username displayed in PGA.

When a new user authenticates and IS redirects back to PGA, PGA will prompt the 
user to create a User Profile at which time the user will pick a username. We 
could prefill the username field with the user’s email address (or just the 
username portion of the email address).



[1] -

Reply via email to