What's Running Where
Component |
Server |
Changes Made |
---|---|---|
Portal |
geni-portal.co.internet2.edu |
|
Portlet |
geni-portal.co.internet2.edu |
|
Backend Service |
geni.co.internet2.edu |
|
User IDP |
.brown.edu |
|
VO AA (IDP) |
co.internet2.edu |
|
CO |
co.internet2.edu |
|
Flows, Steps, and Task List
User Action |
System Action |
Config Changes Needed |
Task |
Assigned To |
Status |
---|---|---|---|---|---|
Researcher accesses CO, clicks Login |
|
|
|
|
|
+ is redirected via WAYF to campus IDP |
|
|
|
|
|
+ is redirected back to CO |
IDP sends authN, Attribute Assertions |
ARP in IDP must release appropriate attributes |
|
|
|
+ fills in remainder of profile |
|
|
|
|
|
VO Admin access CO, clicks Login |
|
VO Admin must have previously registered at CO and have appropriate privileges |
|
|
|
+ is redirected via WAYF to campus IDP |
|
|
|
|
|
+ is redirected back to CO |
|
|
|
|
|
+ makes researcher member of appropriate groups |
CO updates Grouper, which replicates info to LDAP |
|
|
|
|
Researcher accesses portal, clicks Login |
|
|
Install Shibboleth SP on uPortal machine |
Steve |
|
|
|
|
Install uPortal |
Benn |
|
|
|
|
Install sample delegated authn portlet |
Benn |
|
|
|
|
Add portal server to IC |
Steve |
|
+ is redirected via WAYF to campus IDP |
|
|
|
|
|
+ is redirected back to portal |
IDP sends authN, Attribute Assertions |
ARP in IDP must release appropriate attributes (minimally, EPPN) |
|
|
|
|
Shib SP at portal queries CO, asking for attributes describing Researcher |
Shib SP at portal configured to do attribute aggregation |
Configure Shib on portal machine to 1) query CO for additional attributes, and 2) anything needed to support dele use by portal |
Steve |
|
|
|
IDP must be installed into CO |
Install vanilla IDP within CO |
Benn |
|
|
|
ARP in CO IDP must release group memberships to portal |
Configure IDP within CO to release attributes |
Steve |
|
+ Portal grants Researcher appropriate access |
Portal sees new group membership and allows access to portlet |
Portal admin configures portlet to render for appropriate group |
Define/configure the portlet and the group(s) |
Benn |
|
Researcher clicks portlet to access backend service |
Portal + Shib SP obtains delegated assertion from campus IDP |
Portal/Shib running current SP version |
|
|
|
|
|
Campus IDP must support delegated authN |
Arrange for both I2 and Brown IDPs to support delegated authN |
Steve |
|
|
Portlet accesses backend service |
Backend service created (simple SOAP/REST service) |
Identify machine, install sample backend service |
Benn |
|
|
|
Backend service protected by current Shib SP; configured to recognize + validate delegated assertion |
Add logic to backend app to respond yes/no depending on permissions and supplied attributes |
Benn |
|
|
|
Shib SP at backend service configured to do attribute aggregation |
Install Shib SP and configure |
Steve |
|
|
|
ARP in CO IDP must release group memberships to Backend Service |
Add backend svc SP to InCommon |
Steve |
|
|
|
Backend service responds, based on group memberships provided by CO |
|
|
|