Managing Trusted Identity Providers

[ Dorian: Administrators Guide | Developers Guide | Users Guide | caGrid: Documentation Guides ]

Managing Trusted Identity Providers

In order for Dorian to issue grid proxies to a user using their institution provided credentials, the institution's Identity Provider (IdP) must be registered with and trusted by Dorian. IdPs registered with and trusted by Dorian are referred to as Trusted Identity Providers (Trusted IdPs). The set of Trusted IdPs can be managed by Dorian administrators through the GAARDS UI, which provides the ability for remotely adding, modifying, and removing Trusted IdPs. A Trusted IdP consists of the following information: IdP Id, IdP Name, IdP Status, User Policy, Certificate, acceptable authentication methods, and attribute specifications. The IdP Id is a unique id assigned by Dorian to identify the IdP. The IdP name is assigned by an administrator and provides human readable name to easily identify an IdP. The IdP Status specifies the current status of the IdP: Active or Suspended. The status of an IdP allows an administrator to easily grant or suspend access to the grid for all users associated with an IdP. Each Trusted IdP is associated with a set of configurable User Policies that are applied to each user when they authenticate. These policies designate how Dorian should handle users from a specified Trusted IdP. Policies generally dictate what to do when a new user is encountered and what to do when a user's long term certificate expires. Currently Dorian supports four policies:

1. Auto Approval / Auto Renewal - A new user is automatically registered and given access to the grid. (user's status is active) When a user's whose long term certificate expires it is automatically renewed.
2. Auto Approval / Manual Renewal - A new user is automatically registered and given access to the grid. (user's status is active) When a user's whose long term certificate expires, an administrator is required to manually renew it.
3. Manual Approval / Auto Renewal - A new user is automatically registered but not granted access, and administrator is required to grant access. (user's status is pending) When a user's whose long term certificate expires it is automatically renewed.
4. Manual Approval / Manual Renewal - A new user is automatically registered but not granted access, and administrator is required to grant access. (user's status is pending) When a user's whose long term certificate expires, an administrator is required to manually renew it.

When Dorian receives a SAML assertion from a Trusted IdP it verifies that the assertion was signed with the private key that corresponds to the Trusted IdP's certificate. Thus the Trusted IdP's certificate must be specified. Each Trusted IdP must be configured with a list of acceptable authentication methods. A SAML authentication assertion specifies the method in which the Trusted IdP authenticated the user. In order for the SAML assertion to be accepted by Dorian, the authentication method specified in the assertion must be specified as acceptable in the corresponding Trusted IdP. Dorian requires the SAML assertions provided by Identity Provider's to specify four attributes which are maintained by Dorian for each user, such that Dorian and its administrators may effectively administrate grid user accounts. These attributes include (1) user's local unique user id within the IdP, (2) user's first name, (3) user's last name, (4) user's email address. In a SAML Assertion attributes are specified with a namespace and name, because the naming of attributes may differ from IdP to IdP, Dorian does not place requirements on how the attributes are named within the SAML Assertion so long as the values of the attributes meet Dorian's formatting requirements. Therefore the namespace and name of each of the four attributes must be specified for each Trusted IdP, such that Dorian knows what to look for when it receives a SAML assertion from the IdP. To manage Trusted IdPs through the GAARDS UI, use the following steps.

1. From the User Management menu select Grid Account Management => Trusted Identity Provider(s).
2. The Trusted Identity Provider Management window opens (shown below). All the IdPs trusted by a Dorian can be listed as follows:
   1. From the Service drop down, select the service URI of the Dorian you wish to list the Trusted IdPs of, if it is not in the list enter it manually.
   2. From the Proxy drop down, select the proxy or credentials to use to authenticate to Dorian. This must be a proxy of a Dorian administrator.
3. Click the Find Trusted Identity Providers button. The Trusted IdPs are listed in the table below the progress bar. The list includes the Trusted IdP's id, human readable name, and status. In the example below, there are two Trusted IdPs listed; the first is Dorian's Local IdP and the second is the Ohio State University IdP. Thus in the example below, Dorian would accept credentials from its local IdP and from the Ohio State University.

Adding a Trusted Identity Provider

Adding a Trusted Identity Provider

To add a Trusted IdP to Dorian, use the following steps.

1. Click the Add Trusted IdP button from the Trusted Identity Provider ManagementAdd Trusted IdP window to open the window (shown below) which consists of three tabs, each of which requires the information to be specified.
   1. IdP Information Tab - specify the name, status, user policy, and acceptable authentication methods.
   2. Certificate Tab - specify the certificate that corresponds to the private key that is used by the IdP in signing SAML Assertions that is issues. The certificate must be specified in PEM format; click the Import Certificate button to open a file browser in which you may browse to the certificate.
   3. Attributes Tab - specify the namespace and name that the IdP uses for representing each of the four required attributes in its SAML assertions, such that Dorian knows how to retrieve the attributes from the IdP's SAML assertions.
2. Once you have specified all the required information, click the Add button to add the IdP to Dorian as a Trusted IdP. Assuming you set the status of the newly added IdP to active, Dorian immediately begins accepting SAML assertions from the IdP.

Viewing/Updating a Trusted Identity Provider

To view/update a Trusted IdP, use the following steps.

1. Select the Trusted IdP of interest and click the View/Edit Trusted IdP button from the Trusted Identity Provider Management window to open the Trusted IdP window. The Trusted IdP window consists of three tabs:
   1. IdP Information Tab - update the name, status, user policy, and acceptable authentication methods.
   2. Certificate Tab - update the certificate that corresponds to the private key that is used by the IdP in signing SAML Assertions that is issues. If you update the certificate it must be specified in PEM format; click the Import Certificate button to open a file browser in which you may browse to the certificate.
   3. Attributes Tab - update the namespace and name that the IdP uses for representing each of the four required attributes in its SAML assertions.
2. Once you have finished updating the Trusted IdP's information click the Update button to commit the changes, which take effect immediately.

Removing a Trusted Identity Provider

To remove a Trusted IdP, select the Trusted IdP to remove from the Trusted Identity Provider Management window and click the Remove Trusted IdP button. Removing a Trusted IdP will remove all user accounts associated with the IdP, revoking access to all users associated with the IdP.