Dev, I met with Supun and Anuj today to discuss how to best integrate WSO2 Identity Server (IS) with CILogon’s OpenID Connect service [1].
The main outline of the solution Supun has been working toward is something like this: * PGA redirects to IS with an authorization code grant type * configure IS to federate authentication with CILogon * once authenticated via CILogon IS will Just-in-Time provision users in its local database * IS redirects back to PGA with an authentication code, which PGA uses to get an access token The main bug Supun ran into with IS is that the user accounts created Just-in-Time have a User ID like "/cilogon.org/serverA/users/30781”. This is not a very friendly username to display to users, nor useable for admins or for auditing purposes. IS theoretically allows you to map another claim to the User ID, but attempts to configure it as such didn’t work. The solution we came up with in our meeting is to have a user ID and a username in the new User Profile model. The user ID will match IS’s user ID. The username will be something that the user picks when creating their User Profile and will be the username displayed in PGA. When a new user authenticates and IS redirects back to PGA, PGA will prompt the user to create a User Profile at which time the user will pick a username. We could prefill the username field with the user’s email address (or just the username portion of the email address). Thanks, Marcus [1] - http://www.cilogon.org/oidc