airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christie, Marcus Aaron" <>
Subject WSO2 Identity Server + CILogon integration
Date Thu, 01 Dec 2016 22:01:34 GMT

I met with Supun and Anuj today to discuss how to best integrate WSO2 Identity Server (IS)
with CILogon’s OpenID Connect service [1].

The main outline of the solution Supun has been working toward is something like this:
* PGA redirects to IS with an authorization code grant type
* configure IS to federate authentication with CILogon
* once authenticated via CILogon IS will Just-in-Time provision users in its local database
* IS redirects back to PGA with an authentication code, which PGA uses to get an access token

The main bug Supun ran into with IS is that the user accounts created Just-in-Time have a
User ID like "/”.  This is not a very friendly username to
display to users, nor useable for admins or for auditing purposes.  IS theoretically allows
you to map another claim to the User ID, but attempts to configure it as such didn’t work.

The solution we came up with in our meeting is to have a user ID and a username in the new
User Profile model.  The user ID will match IS’s user ID. The username will be something
that the user picks when creating their User Profile and will be the username displayed in

When a new user authenticates and IS redirects back to PGA, PGA will prompt the user to create
a User Profile at which time the user will pick a username. We could prefill the username
field with the user’s email address (or just the username portion of the email address).



[1] -

View raw message