> We are providing computing resources to the researchers and the
> anonymous identities are not an option for this scenario. We have to
> keep an count of cputime usage for the projects and users.
This is identical to us, all our users have to be identified too. We require the CUI, but we use it only as a 'yes, they've successfully authenticated themselves at home' token, which has to be linked to a user account here.
> For now I wrote an Perl script to our organizational IdP which catches
> Radius Proxy Response and parses EPPN from the SAML-AAA-Assertion
> attribute and performs LDAP query to find out computing environment
That's another way to do it, yes. As long as you have something that can act as the glue between the authentication from a home IdP somewhere else (whether that home IdP ships a SAML assertion to you or something else that allows you to uniquely identify the user), and your local computing resources (the SP), you'll be able to create the mapping somehow.
> If I have understood correctly, later on with TrustRouter connections
> are created directly from the ORPS to the home server without any hops
> (no NRPS or IRPS involved), so also outer-tunnel could be considered to
> be safe channel for user revealing attributes?
Probably yes. I believe this is what David may have referred to earlier last week.
:-)
Stefan
--
This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
|