Skip to content

Virtual IdP

Jump to bottom Edit New page
Remold edited this page Jul 6, 2015 · 3 revisions

##What is a vIdP (or Virtual Organisation IdP)? A vIdP is an Identity Provider (IdP) provided by the OpenConext platform. It consists of:

  • a group of users (as defined in either OpenConext Teams+Grouper, or at an External Group Provider);
  • a group of IdPs;
  • a combination of the above.

A concrete example is in grid computing (see the Wikipedia article on VOs) where a VO may be a group of researchers from different institutions whose access to a supercomputer or data from the CERN supercollider is their only commonality. Their institutions may not be part of a common federation.

##Using vIdPs A service (Service Provider or SP) can use a vIdP in two ways:

Explicit vIdP

The SP explicitly specifies the vIdP in its SAML metadata. This is accomplished by providing the SP with different IdP metadata for the OpenConext Engine that is specific to the VO. When compared to the normal Engine IdP metadata, this VO specific metadata specifies:

  1. a different SingleSignOnService Location URL that includes the vIdP identifier. For instance: https://engine.surfconext.nl/authentication/idp/single-sign-on/vo:cern-researchers
  2. a different EntityID. For instance: https://engine.surfconext.nl/authentication/idp/metadata/vo:cern-researchers

In the example URL and EntityID above, "cern-researchers" is the "Virtual Organisation ID" registered with the OpenConext Engine.

The SingleSignOnService Location URL is used to tell the Engine that it must login using the specified vIdP. The vIdP-specific EntityID is returned in the Issuer element in the SAML assertion. This allows an SP to determine which vIdP context was used.

From the perspective of an SP, each vIdP behaves like a separate IdP. This means that the SP must be provided with metadata specific for the VO. For the "cern-researchers" example used above this metadata would be available at the following URL: https://engine.surfconext.nl/authentication/idp/metadata/vo:cern-researchers

Implicit vIdP

An 'Implicit vIdP' is the idea that an SP does not need to specify that it wants to only allow users from a specific VO. OpenConext administrators can specify that for an SP using the coin:implicit_vo_id metadata property in the ServiceRegistry.

###Custom SP vIdP Where Are You From / Discovery screen If an SP wishes to host it's own SP it can request the IDPs metadata document with the vIdP postfix. For example: https://engine.surfconext.nl/authentication/proxy/idps-metadata/vo:cern-researchers

##Configuration To configure a vIdP, please consult the vIdP management documentation on the Manage section. Although no addition configuration is needed in ServiceRegistry in regard to the vIdP itself, please note that the SP still needs access to the IdPs that are part of the vIdP. This is configures in the ACL section of ServiceRegistry.

Add a custom footer
Add a custom sidebar
Clone this wiki locally