Menu
▾
▴
[Unity-idm-discuss] Unity as UNICORE/X attribute source
|
From: Björn H. <b.h...@fz...> - 2015-02-06 13:04:59
|
Hi all, last summer (July 10), Krzysztof reported that pull mode should be possible acc. to the UNICORE/X documentation. However, I found some missing bits and pieces to really make it work (for me). As far as I can see from my changes in the unityServer.conf, the most important configuration is to allow certificate based authentication on the SAMLUnicoreSoapIdP endpoint. In order to achieve that, I needed a certWS authenticator, which seemed to have been missing so far. Here's a diff of the relevant portions in unityServer.conf: ================================================== +unityServer.core.authenticators.5.authenticatorName=certWS +unityServer.core.authenticators.5.authenticatorType=certificate with cxf-certificate +unityServer.core.authenticators.5.localCredential=Certificate credential +unityServer.core.authenticators.5.retrievalConfigurationFile=conf/authenticators/empty.json [...] unityServer.core.endpoints.4.endpointType=SAMLUnicoreSoapIdP -unityServer.core.endpoints.4.endpointConfigurationFile=conf/endpoints/saml-webidp.properties +unityServer.core.endpoints.4.endpointConfigurationFile=conf/endpoints/saml-unicoreidp.properties unityServer.core.endpoints.4.contextPath=/unicore-soapidp unityServer.core.endpoints.4.endpointRealm=defaultRealm unityServer.core.endpoints.4.endpointName=UNITY UNICORE SOAP SAML service -unityServer.core.endpoints.4.endpointAuthenticators=pwdWS +unityServer.core.endpoints.4.endpointAuthenticators=certWS;pwdWS ================================================== This configuration is working well for me. However, I am wondering whether this can be correct or is even required. After all I guessed the setup of the additional authenticator and the changes to the endpoint. Ok, looking back into the documentation (Sect. 3.5) I do see the relevant snippet, though the example is not quite right (s/pwdWS/certWS/). The endpoint for the AssertionQueryService needs to be guessed. Maybe it is obvious for knowledgeable people, but it does not appear in either the Unity or the UNICORE/X manual. Which are the settings for the services consuming attributes? Which roles do they need? Can they have local roles within a VO/Group? Acc. to the developer Wiki there are (were?) issues with this setup as well as the setup for group administration[1]. Do services need to be members of the groups which they query? How do I best set their xlogin (nobody?) if I want to use an attribute class requiring xlogin and role to be set? BTW, speaking of attribute classes. It is quite some hassle to modify an attribute class for any given group. I think I do understand why this is so, but from the point of view of usability it seems like a nightmare (please don't take this as an offense). I did find a workaround (temporary group), but maybe that should not be required. This is more of a general issue than a UNICORE specific one. I haven't had a look at the latest release 1.5.0 yet, maybe some of that has gone by now. Once these issues have been sorted out, I'd like to provide a concise howto on the relevant steps to get UNICORE/X going with UNITY as the attribute source. IMO, this is a very valuable use case, but the description not fully there, at least not in one piece. Cheers, Björn [1] https://www.assembla.com/spaces/unity-public/wiki/Authorization -- Dipl.-Inform. Björn Hagemeier Federated Systems and Data Juelich Supercomputing Centre Institute for Advanced Simulation Phone: +49 2461 61 1584 Fax : +49 2461 61 6656 Email: b.h...@fz... Skype: bhagemeier WWW : http://www.fz-juelich.de/jsc JSC is the coordinator of the John von Neumann Institute for Computing and member of the Gauss Centre for Supercomputing ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- |
