Versions Compared

Old Version 1

changes.mady.by.user Tomasz Wolniewicz

Saved on

compared with

New Version 2

changes.mady.by.user Tomasz Wolniewicz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Enabling of automatic creation is done via the NRO option Self registration from eduroam DB: allow creating new institutions.

One Once you have set this on, if a user logs in with and account from an eduGAIN IdP we do the following:

  • the user’s email address is retrieved from the SAML login;
  • a list of all eduroam DB institutions which have this email listed as the admin email is created - let's call it listDB - our goal is to find institutions that do not yet have a corresponding CAT appearance, so that we can propose to create them;
  • the system checks listDB and removes cases where there already is a link between the institution on this list and some CAT institution - if one exists then clearly there is not need to create anything in CAT;
  • the institution names from listDB (already cleaned up in the previous step) in all languages are lower-cased and compared against lower-cased names of institution in CAT - again we remove any matches from listDB;
  • the realms of institutions from the current listDB are compared to realms defined in CAT institutions profiles - once again, remove matches;
  • the remaining entries are presented to the admin to decide if new CAT institutions should be created (see image below); if the answer is positive, then the skeleton CAT IdPs will be created and added to the admin’s list; any new institution will be automatically linked to its eduroamDB corresponding institution; this is done by the invitation token mechanism described before; the invitation is sent to the email presented in the authentication and matched to the eduroam DB.

Image Modified

Add representatives of existing IdPs

...

This approach is closely related to automatic creation of IdPs but is controlled by a separate option Self registration from eduroam DB: add listed admins to CAT institutions. Also for this to work well you should have synchronization between cat institutions and eduroam DB (described in detail above).

One Once you have set this on, if a user logs in with and account from an eduGAIN IdP we do the following:

  • the user’s email address is retrieved from the SAML login;
  • a list of all eduroam DB institutions which have this email listed as the admin email is created - let's call it listDB - our goal is to find CAT institutions that do not yet have a corresponding CAT appearance;
  • from listDB we remove all institutions that do not a link to a CAT instance;
  • from the remaining list we remove institutions where the corresponding CAT institution is already managed by this user;
  • if the final list still contains some institutions then we automatically add this user as their admin,
  • we display a list of added institutions with a link to an explanation.

Image RemovedImage Added

Self-addition based on SAML eduPersonEntitlement.

For this to function a few of prerequisites are required.

  • the Self registration based on entitlement: add admins to CAT institutions NRO option needs to be set;
  • the user has to login with an eduGAIN registered IdP;
  • user's SAML data must contain the parities-id attribute and do not contain the eduPersonTargettedAttribute (this second condition may become unnecessary in the future);
  • user's SAML data must contain the eduPersonEntitlement attribute with the appropriate value (see the note below for the explanation of "appropriate").

Note: The eduPersonEntitlement attribute is used to mark users' rights to perform some actions in the name of the institution they authenticate with. In this case we are looking for the entitlement to manage eduroam tasks for this institution which is signaled with an appropriate value of this attribute. The NRO admins may set the value to be used within their federation. They do that by setting the value of Custom entitlement value for self-registration option. According to the eduPersonEntitlement specification this value must be an URI. If this option is not set then the default of geant:eduroam:inst:admin will be used.

With all of these prerequisites met, when a user logs is we do the following:

  • the user’s email address is retrieved from the SAML login;
  • the scope (i.e the domain part) of the pairwise-id is retrieved;
  • the CAT is searched for institutions which have defined profile realms within this user's scope;
  • a list of proposed institutions for this admin is presented for confirmation.

We are not using the token mechanism here since in this case it does not add any extra security to the process.


Requesting RADIUS/TLS Certificates

...