Skip to end of metadata
Go to start of metadata
This page describes the CIlogon service that is used to authenticate human end users with the OOINet system.

Overview

The OOINet user identity and authentication framework exists outside of the system, and the infrastructure is utilizing the certificate based services of the CIlogon service.

CIlogon is used to authenticate users with their existing organizations identity providers for OOI via the Web. CILogon is a service that acts as a broker for multiple authenticating authorities such as research organizations and universities (see figure below). It also supports OpenId which is a lower level of authentication used by Google and Yahoo, for example. When an authentication request is received by CIlogon it delegates that request to the correct authentication provider. OOI will prompt a user who is requesting access to enter login information for an account at one of these organizations then leverage use the CILogon service to verify the account.

Figure 1. CILogon brokering member identity providers to Cyberinfrastructure such as OOINet

See Also:

Authentication Process

The process for interacting with CILogon follows this flow:

  1. Users will a valid CILogon account will enter their credentials at the OOI login screen.
  2. These credentials are forwarded to CILogon for mulit-factor authentication. If the account is valid, CI Logon will return a key and a certificate.
    1. The certificate will contain, if available, the user name, the authenticating institution and an email address.
    2. In the case of OpenID authentication (Google, Yahoo!, Verisign) to CILogon, only the OpenID URI goes in the certificate subject (No email address, user name or institution) from OpenID providers, so in that case, OOI will need to prompt the user for additional information as required.
  3. Internally, the identity registry will extract attributes from the certificate subject, where available, such as the user name, email and institution to check if this user has already registered. 
    1. If this is a new user, the identity registry will form an internal identifier for the user based on the attributes in the certificate subject.
      1. The user registry will also assign an internal user id in the form of a UUID that will be the identifier that is return for the user.
    2. In subsequent logins from a registered user, the information in the certificate will be matched against information in the identity registry and the existing OOI user identifier will be returned.
  4. Based on the results of this process, the user by be assiged a role of authenticated or, unauthenticated.

By utilizing the CILogon services, users do not need to create an additional account to access the OOI system. 

In future releases, users with multiple accounts at CILogon affiliated organizations will be consolidated with the OOI system. For example if a user has one account at a research site and a separate account at at university, the user will be able to login to the OOI system via CILogon with either account and be recognized as the same individual.

Implementation

See the following pages for details:

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.