Hi Marcus, I did not quite understand the use case here. Could you please explain the exact use case ?
My initial guess is following : a user with CILogon credentials trying to login to airavata. Assuming this use case, I have following questions related to your approach. 1. What exactly is the error you got when trying to use IS claims ? 2. With the above solution approach can the same physical user be registered with two different usernames ? Thanks -Thejaka On Thu, Dec 1, 2016 at 5:01 PM, Christie, Marcus Aaron <machr...@iu.edu> wrote: > Dev, > > I met with Supun and Anuj today to discuss how to best integrate WSO2 > Identity Server (IS) with CILogon’s OpenID Connect service [1]. > > The main outline of the solution Supun has been working toward is > something like this: > * PGA redirects to IS with an authorization code grant type > * configure IS to federate authentication with CILogon > * once authenticated via CILogon IS will Just-in-Time provision users in > its local database > * IS redirects back to PGA with an authentication code, which PGA uses to > get an access token > > The main bug Supun ran into with IS is that the user accounts created > Just-in-Time have a User ID like "/cilogon.org/serverA/users/30781”. > This is not a very friendly username to display to users, nor useable for > admins or for auditing purposes. IS theoretically allows you to map > another claim to the User ID, but attempts to configure it as such didn’t > work. > > The solution we came up with in our meeting is to have a user ID and a > username in the new User Profile model. The user ID will match IS’s user > ID. The username will be something that the user picks when creating their > User Profile and will be the username displayed in PGA. > > When a new user authenticates and IS redirects back to PGA, PGA will > prompt the user to create a User Profile at which time the user will pick a > username. We could prefill the username field with the user’s email address > (or just the username portion of the email address). > > Thanks, > > Marcus > > [1] - http://www.cilogon.org/oidc > >
