Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A detailed description can be find found in this wiki page.

The setup consist of:

...

For the purpose of this pilot, we have enabled federated access to the dashboard of a demo OpenStack Cloud deployment and we are using a set of dummy users registered in the testbed IdP. Specifically, the pilot IdP proxy has been configured to authenticate users and communicate the result of the authentication to an OpenStack's Identity service (Keystone) using SAML assertions. Before passing the authentication results to OpenStack, the pilot IdP proxy contacts a COmanage instance, on which it some collaborations (COCOs) have been created that have a corresponding project in OpenStack for properly the mapping the of users: it attaches any additional entitlement regarding the users user's membership of the COs to the SAML assertion. At this point the new SAML assertion is passed to OpenStack and it is mapped to keystone user groups, based on which, the authenticating authenticated user can access cloud resources using their his/her federated ID.

There was no need to create local accounts on the cloud framework, ephemeral users are used instead: it was creates we created a set of mapping rules that, depending on the entitlements provided by COmanage (ownership to the managing COs with a precise roleand groups with users having specific rules in the CO), associate the external users to the right group defined into openstack, and after which each of them can access to a particular OpenStack project with different user rights (either admin or simple user).

...

4a user belonging to and with admin aggregatore these :member@aarc-yellow.pilots.aarc-project.euurn:mace:aarc-project.euam03.pilots.aarc-project.eu:admin:  member of without any priviledged aggregatore piece Image Removed
Access to the cloud resources
1.

Access OpenStack's Dashboard (Horizon) at https://am02.pilots.aarc-project.eu/horizon

Select "External authentication and login" and click on "Connect".  

 

 

2.

Select your Identity Provider from the discovery page (WAYF).

The institutional IdP to select (considered for demo purposes only) is: AARC DIY Identity Provider

3.

Enter your login credentials to authenticate yourself with the IdP of your Home Organisation. We will show three cases:

a) an user belonging to aarc-yellow CO with admin role

b) an user belonging to aarc-yellow CO with no particular roles

c) an user belonging to aarc-blue CO with admin role

4b.

--

member of aarc-yellow CO

without any priviledged role --

After successful authentication, the user needs to give the consent for releasing your personal information to the Service Provider mentioned in the page (the OpenStack framework in our case).

Among the data that will be passed to the Service Provider, there are the Entitlements released by the attribute

authority COmanage regarding the ownership in the COs and the roles.

In this case the Entitlement contains

this piece of information:

urn:mace:aarc-project.eu:am03.pilots.aarc-project.eu:members

:

member@aarc-yellow.pilots.aarc-project.eu

That is the piece of information used for properly mapping the users to the OpenStack projects. 

Click on "yes" for going on.

 

Image Added
Image Removed
5a5b.

The user is successfuly redirected to the OpenStack Dashboard, mapped to a Keystone user group based on the values of the Entitlement attribute, with the eppn as username.

In this case the user is accessing to the aarc-yellow project with the rights for a "regular user" (no administrative rights).

Image RemovedImage Added
4b
4a.

--

user belonging to aarc-yellow CO

and with admin role --

After successful authentication, the user needs to give the consent for releasing your personal information to the Service Provider mentioned in the page (the OpenStack framework in our case).

Among the data that will be passed to the Service Provider, there are the Entitlements released by the attribute

authority COmanage regarding the ownership in the COs and the roles.

In this case the Entitlement contains these

pieces of information:

urn:mace:aarc-project.eu:am03.pilots.aarc-project.eu:members:member@aarc-yellow.pilots.aarc-project.eu

urn:mace:aarc-project.eu:am03.pilots.aarc-project.eu:admin:member@aarc-yellow.pilots.aarc-project.eu

That is the piece of information used for properly mapping the users to the OpenStack projects. 

Click on "yes" for going on.

 

 

Image Added
5b5a.

The user is successfuly redirected to the OpenStack Dashboard, mapped to a Keystone user group based on the values of the Entitlement attribute, with the eppn as username.

In this case the user is accessing to the aarc-yellow project with no administrative rights.

Image RemovedImage Added
4c.

-- user belonging to aarc-blue CO and with admin role --

After successful authentication, the user needs to give the consensus consent for releasing your personal information to the Service Provider mentioned in the page (the OpenStack framework in our case).

Among the data that will be passed to the Service Provider, there are the Entitlements released by the attribute aggregatore COmanage regarding the ownership in the COs and the roles.

In this case the Entitlement contains contain these piece pieces of information:

urn:mace:aarc-project.eu:am03.pilots.aarc-project.eu:members:member@aarc-blue.pilots.aarc-project.eu

urn:mace:aarc-project.eu:am03.pilots.aarc-project.eu:admin:member@aarc-blue.pilots.aarc-project.eu

That is the piece of information used for properly mapping the users to the OpenStack projects. 

Click on "yes" for going on.

 

5c.

The user is successfuly redirected to the OpenStack Dashboard, mapped to a Keystone user group based on the values of the Entitlement attribute, with the eppn as username..

In this case the user is accessing to the aarc-blue project with administrative rights.

   

...