Versions Compared

Old Version 24

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 25

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

...

Over time, other Internet2 services will be integrated with the Gateway.

Federation Manager

{div:style=
Div
Wiki Markup
style
float:right;margin-left:1em;margin-bottom:1ex
}{
Note
}

View

a

static

[

demo

of

a

Google

login

|socialid:Demo Google Login]

to

the

FM

{note}{div}

The InCommon Federation Manager uses the Google Gateway to authenticate a class of users called Delegated Administrators. The term Delegated Administration refers to the ability of a Site Administrator (who is a privileged user) to delegate responsibility for administering SP metadata to another administrator called a Delegated Administrator. A Delegated Administrator (DA) logs into the Federation Manager (FM) with a federated password, that is, the DA must have an account on an InCommon IdP. (InCommon Operations does not issue passwords to DAs.) If a site wishes to use the Delegated Administration feature of the FM, that site must deploy an IdP or use the Google Gateway.

...

You can view the applications you have consented to on your personal Google Accounts page:

{div:style=
Div
Wiki Markup
style
margin-left:2em
}[https://accounts.google.com/IssuedAuthSubTokens]{div}

If you revoke consent previously given for a particular application, the next time you attempt to access that application, you will be asked to approve the release of attributes.

...

Example. Suppose the Google IdP asserts the following email address:

{div:style=
Div
Wiki Markup
style
margin-left:2em
}{{user@gmail.com}}{div}

The Gateway is configured to compute the corresponding ePPN as follows:

{div:style=
Div
Wiki Markup
style
margin-left:2em
}{{user+gmail.com@google.incommon.org}}{div}

In other words, the value of the ePPN attribute is completely dependent on the email address obtained from Google.

...

On the other hand, the Gateway asserts an ePPN with a fixed scope (“@google.incommon.org”). No configuration at the SP is necessary since by default the SP performs scoped attribute checking based on a fixed set of <shibmd:Scope> elements in Gateway metadata. In fact, there is one such <shibmd:Scope> element in Gateway metadata, namely:

{div:style=
Div
Wiki Markup
style
margin-left:2em
}{{<shibmd:Scope regexp="false">google.incommon.org</shibmd:Scope>}}{div}

and so the ePPN shown above will be accepted by the SP by default. The acceptance of any other ePPN is left entirely to the discretion of the SP.

...

{span:style=
Span
Wiki Markup
style
font-size:smaller
}The Internet2/InCommon Google Gateway is an instance of [simpleSAMLphp|http://simplesamlphp.org/] deployed in the Amazon cloud. The Gateway is built and maintained by [Cirrus Identity|http://cirrusidentity.com/].{span}