The INAF CTA Authentication and Authorization Infrastructure provides functionalities enforcing the protection of CTA resources and digital assets by means of a role based authorization and by allowing both a federated authentication (based on eduGAIN inter-federation) and a centralized authorization managed at consortium level. The infrastructure offers a proper environment for enforcing accountability allowing maintenance and audit of logs for relevant events.
The current implementation of the INAF-CTA Authentication and Authorization Infrastructure provision more than 1000 consortium SAML identities and is releasing a persistent and non-reassignable ID as requested by CTA user requirements. Authentication of Observers and Guest Users can be achieved also using eduGAIN inter-federation. The authorization is performed through a dedicated Attribute Authority which grants the definition, management and provisioning of roles based on groups and subgroups. Web interfaces are provided for group administration and web services allows access to those functionalities in a service oriented architecture.
Interface with the Attribute Authority is implemented through web services which exposes the entire business logic through SOAP and REST APIs.
Useful operations include:
The CTA prototype for Proposal Handling System offers an example of implementation of a system leveraging the INAF Attribute Authority Services. In this context the Attribute Authority web services allow to manage submissions of Guest Observer proposals from compilation and transmission to their valuation and scheduling.
The role-based authorization is extensively used to identify e.g. Observers (astronomers that can submit proposals to perform observations) or Reviewers (members of the time allocation committee who will review the submitted proposals).
In this case a new stem is created for each proposal id (e.g. proposalId = 003), new groups are created within the proposal to describe user roles (e.g. “PI” and “CO-I” groups) and new members are assigned to the groups.
API Source Code: https://github.com/Internet2/grouper
API Documentation: https://spaces.internet2.edu/display/Grouper/Grouper+Web+Services
Alessandro Costa INAF-OACT
Eva Sciacca INAF-OACT
Fabio Vitello INAF-OACT
Django, Shibboleth service provider, Cross border Identity provider, Unity, Grouper, GMS