<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">
Hi Nathan:
<div><br>
<div>
<div>On Aug 2, 2012, at 9:13 AM, Nathan Hook wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div>Hi Karl and Luca,<br>
<br>
To be clear authentication (authN) is working, the error that you're both seeing is an authorization (authZ) issue.<br>
</div>
</blockquote>
<div><br>
</div>
yes correct.<br>
<blockquote type="cite">
<div><br>
When we make a request to the saml attribute service at pcmdi9 (<a href="https://pcmdi9.llnl.gov/esgf-idp/saml/soap/secure/attributeService.htm">https://pcmdi9.llnl.gov/esgf-idp/saml/soap/secure/attributeService.htm</a>) we always get an attribute response
that has a user's first name, last name, and email, but no listing of groups to which that user belongs.<br>
<br>
We have tried the following openids in the saml attribute request:<br>
<a href="https://pcmdi9.llnl.gov/esgf-idp/openid/nathanhook">https://pcmdi9.llnl.gov/esgf-idp/openid/nathanhook</a><br>
https://www.earthsystemgrid.org/myopenid/nhook<br>
https://pcmdi9.llnl.gov/esgf-idp/openid/lucacinquini<br>
https://pcmdi3.llnl.gov/esgcet/myopenid/oscar.nienhouse<br>
https://pcmdi9.llnl.gov/esgf-idp/openid/taylor13<br>
<br>
Since we're not getting back any group information from the saml requests, our system seems to be doing the correct behavior (denying access) at this time.<br>
<br>
Is there a different way that we should be authorizing a user's access to cmip5 data?<br>
</div>
</blockquote>
<div><br>
</div>
<div>Please see below for an example of SAML request to the pcmdi9 attribute service, and correspondent HTTP response. Basically, if the client asks for the attributes named "CMIP5 Commercial" and "CMIP5 Research", their values will be returned, if found (i.e.
the user has obtained CMIP5 membership).</div>
<div><br>
</div>
<blockquote type="cite">
<div><br>
FYI, I was able to download data directly from <a href="http://pcmdi9.llnl.gov/esgf-web-fe/">
http://pcmdi9.llnl.gov/esgf-web-fe/</a> with both my pcmdi9 and <a href="http://www.earthsystemgrid.org">
www.earthsystemgrid.org</a> openids without having to request access to the cmipi5 group. Has group registration been turned off or is group registration no longer required to access cmip5 data?</div>
</blockquote>
<br>
</div>
<div>The security enforcement is really established by the data node, not the web-fe. Which dataset were you trying to download ? I know GFDL provides free access to their data, all other data nodes should require CMIP5 membership. I just verified that, with
a new pcmdi9 openid, I am asked to register when requesting data from the pcmdi9 datanode. </div>
<div>Also, the old memberships have been transferred to the new system, so your <a href="http://www.earthsystemgrid.org">
www.earthsystemgrid.org</a> openid should already be enabled. I can only explain the success of your pcmsi9 openid if:</div>
<div>a) somehow you had enrolled in CMIP5 at some point</div>
<div>b) or, you were really downloading free data from GFDL</div>
<div><br>
</div>
<div>thanks, Luca</div>
<div><br>
<blockquote type="cite">
<div><br>
Thank you for your time.<br>
<br>
Warm Regards,<br>
<br>
Nathan H.<br>
<br>
<br>
PS: We also tried all the above openids against the attribute service at pcmdi7 (<a href="https://pcmdi7.llnl.gov/esgf-security/saml/soap/secure/attributeService.htm">https://pcmdi7.llnl.gov/esgf-security/saml/soap/secure/attributeService.htm</a>). All the
pcmdi9 openids returned an UnknownPrincipal response, while the <a href="http://www.earthsystemgrid.org">
www.earthsystemgrid.org</a> and pcmdi3 openids returned appropriate group information.<br>
</div>
</blockquote>
<div><br>
</div>
=====================================================================================================</div>
<div><br>
</div>
<div>
<div>[DEBUG] esg.security.common.SOAPServiceClient: Querying SOAP endpoint: <a href="https://pcmdi9.llnl.gov/esgf-idp/saml/soap/secure/attributeService.htm">
https://pcmdi9.llnl.gov/esgf-idp/saml/soap/secure/attributeService.htm</a> timeout=10000 milliseconds</div>
<div>[DEBUG] esg.security.common.SOAPServiceClient: <?xml version="1.0" encoding="UTF-8"?><soap11:Envelope xmlns:soap11="<a href="http://schemas.xmlsoap.org/soap/envelope/">http://schemas.xmlsoap.org/soap/envelope/</a>"></div>
<div> <soap11:Body></div>
<div> <saml2p:AttributeQuery xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ID="63c0c153-a6dc-42d7-9b50-30801c9f3d57" IssueInstant="2012-08-02T18:21:03.380Z" Version="2.0"></div>
<div> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">ESGF Authorization Service</saml2:Issuer></div>
<div> <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"></div>
<div> <saml2:NameID Format="urn:esg:openid"><b><a href="https://pcmdi9.llnl.gov/esgf-idp/openid/lucacinquini">https://pcmdi9.llnl.gov/esgf-idp/openid/lucacinquini</a></b></saml2:NameID></div>
<div> </saml2:Subject></div>
<div> <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Name="CMIP5 Commercial" NameFormat="<a href="http://www.w3.org/2001/XMLSchema#string">http://www.w3.org/2001/XMLSchema#string</a>"/></div>
<div> <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Name="<b>CMIP5 Research</b>" NameFormat="<a href="http://www.w3.org/2001/XMLSchema#string">http://www.w3.org/2001/XMLSchema#string</a>"/></div>
<div> <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Name="urn:esg:group:role" NameFormat="<a href="http://www.w3.org/2001/XMLSchema#string">http://www.w3.org/2001/XMLSchema#string</a>"/></div>
<div> </saml2p:AttributeQuery></div>
<div> </soap11:Body></div>
<div></soap11:Envelope></div>
<div><br>
</div>
<div>[DEBUG] esg.security.common.SOAPServiceClient: Response header name=Server value=Apache-Coyote/1.1</div>
<div>[DEBUG] esg.security.common.SOAPServiceClient: Response header name=Content-Type value=text/xml</div>
<div>[DEBUG] esg.security.common.SOAPServiceClient: Response header name=Content-Length value=1760</div>
<div>[DEBUG] esg.security.common.SOAPServiceClient: Response header name=Date value=Thu, 02 Aug 2012 18:21:03 GMT</div>
<div>[DEBUG] esg.security.common.SOAPServiceClient: <?xml version="1.0" encoding="UTF-8"?><soap11:Envelope xmlns:soap11="<a href="http://schemas.xmlsoap.org/soap/envelope/">http://schemas.xmlsoap.org/soap/envelope/</a>"></div>
<div> <soap11:Body></div>
<div> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ID="543c8eb4-1958-4f90-b763-e00aadc9249d" InResponseTo="63c0c153-a6dc-42d7-9b50-30801c9f3d57" IssueInstant="2012-08-02T18:21:03.528Z" Version="2.0"></div>
<div> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">ESGF Attribute Service</saml2:Issuer></div>
<div> <saml2p:Status></div>
<div> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></div>
<div> </saml2p:Status></div>
<div> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="51ca7a30-42a4-4af5-b704-275e4cc5b91d" IssueInstant="2012-08-02T18:21:03.531Z" Version="2.0"></div>
<div> <saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">ESGF Attribute Service</saml2:Issuer></div>
<div> <saml2:Subject></div>
<div> <saml2:NameID Format="urn:esg:openid"><b><a href="https://pcmdi9.llnl.gov/esgf-idp/openid/lucacinquini">https://pcmdi9.llnl.gov/esgf-idp/openid/lucacinquini</a></b></saml2:NameID></div>
<div> </saml2:Subject></div>
<div> <saml2:Conditions NotBefore="2012-08-02T18:21:03.531Z" NotOnOrAfter="2012-08-03T18:21:03.531Z"/></div>
<div> <saml2:AttributeStatement></div>
<div> <saml2:Attribute Name="<b>CMIP5 Research</b>" NameFormat="<a href="http://www.w3.org/2001/XMLSchema#string">http://www.w3.org/2001/XMLSchema#string</a>"></div>
<div> <saml2:AttributeValue xmlns:xs="<a href="http://www.w3.org/2001/XMLSchema">http://www.w3.org/2001/XMLSchema</a>" xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>" xsi:type="xs:string"><b>user</b></saml2:AttributeValue></div>
<div> </saml2:Attribute></div>
<div> </saml2:AttributeStatement></div>
<div> </saml2:Assertion></div>
<div> </saml2p:Response></div>
<div> </soap11:Body></div>
<div></soap11:Envelope></div>
<div><br>
</div>
<div>=========================================================================================</div>
<blockquote type="cite">
<div><br>
<br>
<br>
On 8/1/2012 9:36 AM, Karl Taylor wrote:<br>
<blockquote type="cite">Hi Nate,<br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">Even with a pcmdi9 openid, I get this error:<br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">so something is not quite right yet.<br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">thanks,<br>
</blockquote>
<blockquote type="cite">Karl<br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">On 8/1/12 7:52 AM, Cinquini, Luca (3880) wrote:<br>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">Hi Nate,<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span class="Apple-tab-span" style="white-space:pre"></span>thanks, this is a good step forward. I noticed the following though:<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">o The authorization system on the TDS server still doesn't seem to be compatible with P2P - I got an "Access Denied" when trying to download a file with my CMIP5-enabled pcmdi9 openid.<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">o Is there any plan to support authentication with any P2P openid, not just pcmdi9 ?<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">thanks, Luca<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">On Jul 31, 2012, at 2:16 PM, Nathan Wilhelmi wrote:<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">Hello,<br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">To follow up from the last telco, PCMDI9 OpenID's can now be used at the<br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">NCAR site.<br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">Thanks!<br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">-Nate<br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">_______________________________________________<br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">GO-ESSP-TECH mailing list<br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><a href="mailto:GO-ESSP-TECH@ucar.edu">GO-ESSP-TECH@ucar.edu</a><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><a href="http://mailman.ucar.edu/mailman/listinfo/go-essp-tech">http://mailman.ucar.edu/mailman/listinfo/go-essp-tech</a><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">_______________________________________________<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">GO-ESSP-TECH mailing list<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><a href="mailto:GO-ESSP-TECH@ucar.edu">GO-ESSP-TECH@ucar.edu</a><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><a href="http://mailman.ucar.edu/mailman/listinfo/go-essp-tech">http://mailman.ucar.edu/mailman/listinfo/go-essp-tech</a><br>
</blockquote>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">_______________________________________________<br>
</blockquote>
<blockquote type="cite">GO-ESSP-TECH mailing list<br>
</blockquote>
<blockquote type="cite"><a href="mailto:GO-ESSP-TECH@ucar.edu">GO-ESSP-TECH@ucar.edu</a><br>
</blockquote>
<blockquote type="cite"><a href="http://mailman.ucar.edu/mailman/listinfo/go-essp-tech">http://mailman.ucar.edu/mailman/listinfo/go-essp-tech</a><br>
</blockquote>
</div>
</blockquote>
</div>
<br>
</div>
</body>
</html>