Amila, > I did not quite understand the use case here. Could you please explain the > exact use case ?
The use case for the CILogon integration is to enable users to sign in to PGA using their own institution’s credentials. This is to support the campus gateways use case. For example, IU could have an instance of PGA/Airavata where the user authenticates into CAS to gain access to the system. > 1. What exactly is the error you got when trying to use IS claims ? The error we got using IS claims is that we couldn’t get it to use any other claim than the ‘sub’ claim for the user’s username. The ‘sub’ claim field is essentially a URL with a numeric identifier (see example below), so that’s not very user friendly. We were hoping we could configure IS to use the email address claim instead, or something else more user friendly (however, email address would be problematic as well since IS uses ampersand to delimit the username from the tenant domain). > 2. With the above solution approach can the same physical user be registered > with two different usernames ? With this approach a user authenticating through the same CILogon institution should only ever have one username. However, if a user authenticates through another CILogon institution then they could create a separate username. So to answer your question, yes. We’ve discussed whether to have an identity linking facility, but I think the jury is still out on that one. Thanks, Marcus > On Dec 6, 2016, at 11:17 AM, Amila Jayasekara <[email protected]> wrote: > > Hi Marcus, > > I did not quite understand the use case here. Could you please explain the > exact use case ? > > My initial guess is following : a user with CILogon credentials trying to > login to airavata. Assuming this use case, I have following questions related > to your approach. > > 1. What exactly is the error you got when trying to use IS claims ? > 2. With the above solution approach can the same physical user be registered > with two different usernames ? > > Thanks > -Thejaka > > On Thu, Dec 1, 2016 at 5:01 PM, Christie, Marcus Aaron <[email protected]> > wrote: > Dev, > > I met with Supun and Anuj today to discuss how to best integrate WSO2 > Identity Server (IS) with CILogon’s OpenID Connect service [1]. > > The main outline of the solution Supun has been working toward is something > like this: > * PGA redirects to IS with an authorization code grant type > * configure IS to federate authentication with CILogon > * once authenticated via CILogon IS will Just-in-Time provision users in its > local database > * IS redirects back to PGA with an authentication code, which PGA uses to get > an access token > > The main bug Supun ran into with IS is that the user accounts created > Just-in-Time have a User ID like "/cilogon.org/serverA/users/30781”. This is > not a very friendly username to display to users, nor useable for admins or > for auditing purposes. IS theoretically allows you to map another claim to > the User ID, but attempts to configure it as such didn’t work. > > The solution we came up with in our meeting is to have a user ID and a > username in the new User Profile model. The user ID will match IS’s user ID. > The username will be something that the user picks when creating their User > Profile and will be the username displayed in PGA. > > When a new user authenticates and IS redirects back to PGA, PGA will prompt > the user to create a User Profile at which time the user will pick a > username. We could prefill the username field with the user’s email address > (or just the username portion of the email address). > > Thanks, > > Marcus > > [1] - http://www.cilogon.org/oidc > >
