<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi Luca,<br>
<br>
On 9/6/2012 10:38 AM, Cinquini, Luca (3880) wrote:<br>
</div>
<blockquote
cite="mid:01957221-8B6C-4FBC-B8E5-01CD192A9E9C@jpl.nasa.gov"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
Thanks Eric, this is good.
<div>This off course assumes that they are already registered in
CMIP5 Research, otherwise the standard mechanism for registering
won't be triggered, correct ?</div>
</blockquote>
CMIP5 Research group membership should no longer be required for
NCAR data access. We've reviewed the CESM data distribution policy
(which includes the CMIP5 data products at NCAR.) Per the policy,
these data files should be as openly available as possible, provided
basic use metrics are captured (ie. auth-n is necessary.)<br>
<br>
CMIP5 Research group membership should not be required to access and
download CESM CMIP5 data files. As a result, we've removed the
CMIP5 Research group from these datasets and access to these data
files should be simplified. (Ie. we're in the same boat at GFDL re.
data file access.)
<blockquote
cite="mid:01957221-8B6C-4FBC-B8E5-01CD192A9E9C@jpl.nasa.gov"
type="cite">
<div>Also, are all the other P2P openids recognized too ?</div>
</blockquote>
We should be accepting all P2P OpenIDs at this point. We recently
updated to the latest available truststore. The only caveat would be
lag if a new IDP comes online that requires a truststore update.<br>
<br>
Thanks,<br>
<br>
-Eric<br>
<blockquote
cite="mid:01957221-8B6C-4FBC-B8E5-01CD192A9E9C@jpl.nasa.gov"
type="cite">
<div>thanks again, Luca</div>
<div><br>
<div>
<div>On Sep 6, 2012, at 10:33 AM, Eric Nienhouse wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi Karl, Luca,<br>
<br>
We've updated the ESG-NCAR Gateway to address the issues
noted below. Users should now be able to login and
successfully download CMIP5 data using PCMDI9 OpenIDs.<br>
<br>
Thanks,<br>
<br>
-Eric<br>
<br>
<br>
On 8/3/2012 4:38 PM, Eric Nienhouse wrote:<br>
</div>
<blockquote cite="mid:501C52EE.8010301@ucar.edu"
type="cite">Hi Luca,<br>
<br>
Thanks for the details below. We're getting proper
CMIP5 related group attributes from the Attribute
Service (ATS) at pcmdi9 when asserting the CMIP5 related
data access attributes as you note.<br>
<br>
We need to make a few changes to the Gateway to issue
these SAML requests in support of end-to-end authorized
file downloads from the TDS at ESG-NCAR.<br>
<br>
The CMIP5 download tests noted below as not requiring
CMIP5 registration for access were made to the GFDL
datanode. Other nodes tested (e.g. pcmdi9,
<a moz-do-not-send="true" href="http://CMCC.it">CMCC.it</a>)
require CMIP5 registration as expected.<br>
<br>
I'll let you know once this is deployed to the
production ESG-NCAR Gateway and pcmdi9 OpenIDs can
successfully download. A number of folks are out on
vacation, so it may be a bit until this is ready.<br>
<br>
-Eric<br>
<br>
On 8/2/2012 12:33 PM, Cinquini, Luca (3880) wrote:
<blockquote
cite="mid:7AEA50E4-58F8-4288-A746-7982BE90EB65@jpl.nasa.gov"
type="cite">
Hi Nathan:
<div><br>
<div>
<div>On Aug 2, 2012, at 9:13 AM, Nathan Hook
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div>Hi Karl and Luca,<br>
<br>
To be clear authentication (authN) is working,
the error that you're both seeing is an
authorization (authZ) issue.<br>
</div>
</blockquote>
<div><br>
</div>
yes correct.<br>
<blockquote type="cite">
<div><br>
When we make a request to the saml attribute
service at pcmdi9 (<a moz-do-not-send="true"
href="https://pcmdi9.llnl.gov/esgf-idp/saml/soap/secure/attributeService.htm">https://pcmdi9.llnl.gov/esgf-idp/saml/soap/secure/attributeService.htm</a>)
we always get an attribute response that has a
user's first name, last name, and email, but
no listing of groups to which that user
belongs.<br>
<br>
We have tried the following openids in the
saml attribute request:<br>
<a moz-do-not-send="true"
href="https://pcmdi9.llnl.gov/esgf-idp/openid/nathanhook">https://pcmdi9.llnl.gov/esgf-idp/openid/nathanhook</a><br>
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://www.earthsystemgrid.org/myopenid/nhook">https://www.earthsystemgrid.org/myopenid/nhook</a><br>
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://pcmdi9.llnl.gov/esgf-idp/openid/lucacinquini">https://pcmdi9.llnl.gov/esgf-idp/openid/lucacinquini</a><br>
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://pcmdi3.llnl.gov/esgcet/myopenid/oscar.nienhouse">https://pcmdi3.llnl.gov/esgcet/myopenid/oscar.nienhouse</a><br>
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://pcmdi9.llnl.gov/esgf-idp/openid/taylor13">https://pcmdi9.llnl.gov/esgf-idp/openid/taylor13</a><br>
<br>
Since we're not getting back any group
information from the saml requests, our system
seems to be doing the correct behavior
(denying access) at this time.<br>
<br>
Is there a different way that we should be
authorizing a user's access to cmip5 data?<br>
</div>
</blockquote>
<div><br>
</div>
<div>Please see below for an example of SAML
request to the pcmdi9 attribute service, and
correspondent HTTP response. Basically, if the
client asks for the attributes named "CMIP5
Commercial" and "CMIP5 Research", their values
will be returned, if found (i.e. the user has
obtained CMIP5 membership).</div>
<div><br>
</div>
<blockquote type="cite">
<div><br>
FYI, I was able to download data directly from
<a moz-do-not-send="true"
href="http://pcmdi9.llnl.gov/esgf-web-fe/">
http://pcmdi9.llnl.gov/esgf-web-fe/</a> with
both my pcmdi9 and <a moz-do-not-send="true"
href="http://www.earthsystemgrid.org/">
www.earthsystemgrid.org</a> openids without
having to request access to the cmipi5 group.
Has group registration been turned off or is
group registration no longer required to
access cmip5 data?</div>
</blockquote>
<br>
</div>
<div>The security enforcement is really established
by the data node, not the web-fe. Which dataset
were you trying to download ? I know GFDL provides
free access to their data, all other data nodes
should require CMIP5 membership. I just verified
that, with a new pcmdi9 openid, I am asked to
register when requesting data from the pcmdi9
datanode. </div>
<div>Also, the old memberships have been transferred
to the new system, so your <a
moz-do-not-send="true"
href="http://www.earthsystemgrid.org/">
www.earthsystemgrid.org</a> openid should
already be enabled. I can only explain the success
of your pcmsi9 openid if:</div>
<div>a) somehow you had enrolled in CMIP5 at some
point</div>
<div>b) or, you were really downloading free data
from GFDL</div>
<div><br>
</div>
<div>thanks, Luca</div>
<div><br>
<blockquote type="cite">
<div><br>
Thank you for your time.<br>
<br>
Warm Regards,<br>
<br>
Nathan H.<br>
<br>
<br>
PS: We also tried all the above openids
against the attribute service at pcmdi7 (<a
moz-do-not-send="true"
href="https://pcmdi7.llnl.gov/esgf-security/saml/soap/secure/attributeService.htm">https://pcmdi7.llnl.gov/esgf-security/saml/soap/secure/attributeService.htm</a>).
All the pcmdi9 openids returned an
UnknownPrincipal response, while the <a
moz-do-not-send="true"
href="http://www.earthsystemgrid.org/">
www.earthsystemgrid.org</a> and pcmdi3
openids returned appropriate group
information.<br>
</div>
</blockquote>
<div><br>
</div>
=====================================================================================================</div>
<div><br>
</div>
<div>
<div>[DEBUG]
esg.security.common.SOAPServiceClient: Querying
SOAP endpoint: <a moz-do-not-send="true"
href="https://pcmdi9.llnl.gov/esgf-idp/saml/soap/secure/attributeService.htm">https://pcmdi9.llnl.gov/esgf-idp/saml/soap/secure/attributeService.htm</a>
timeout=10000 milliseconds</div>
<div>[DEBUG]
esg.security.common.SOAPServiceClient: <?xml
version="1.0"
encoding="UTF-8"?><soap11:Envelope
xmlns:soap11="<a moz-do-not-send="true"
href="http://schemas.xmlsoap.org/soap/envelope/">http://schemas.xmlsoap.org/soap/envelope/</a>"></div>
<div> <soap11:Body></div>
<div> <saml2p:AttributeQuery
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
ID="63c0c153-a6dc-42d7-9b50-30801c9f3d57"
IssueInstant="2012-08-02T18:21:03.380Z"
Version="2.0"></div>
<div> <saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">ESGF
Authorization Service</saml2:Issuer></div>
<div> <saml2:Subject
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"></div>
<div> <saml2:NameID
Format="urn:esg:openid"><b><a
moz-do-not-send="true"
href="https://pcmdi9.llnl.gov/esgf-idp/openid/lucacinquini">https://pcmdi9.llnl.gov/esgf-idp/openid/lucacinquini</a></b></saml2:NameID></div>
<div> </saml2:Subject></div>
<div> <saml2:Attribute
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Name="CMIP5 Commercial" NameFormat="<a
moz-do-not-send="true"
href="http://www.w3.org/2001/XMLSchema#string">http://www.w3.org/2001/XMLSchema#string</a>"/></div>
<div> <saml2:Attribute
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Name="<b>CMIP5 Research</b>" NameFormat="<a
moz-do-not-send="true"
href="http://www.w3.org/2001/XMLSchema#string">http://www.w3.org/2001/XMLSchema#string</a>"/></div>
<div> <saml2:Attribute
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Name="urn:esg:group:role" NameFormat="<a
moz-do-not-send="true"
href="http://www.w3.org/2001/XMLSchema#string">http://www.w3.org/2001/XMLSchema#string</a>"/></div>
<div> </saml2p:AttributeQuery></div>
<div> </soap11:Body></div>
<div></soap11:Envelope></div>
<div><br>
</div>
<div>[DEBUG]
esg.security.common.SOAPServiceClient: Response
header name=Server value=Apache-Coyote/1.1</div>
<div>[DEBUG]
esg.security.common.SOAPServiceClient: Response
header name=Content-Type value=text/xml</div>
<div>[DEBUG]
esg.security.common.SOAPServiceClient: Response
header name=Content-Length value=1760</div>
<div>[DEBUG]
esg.security.common.SOAPServiceClient: Response
header name=Date value=Thu, 02 Aug 2012 18:21:03
GMT</div>
<div>[DEBUG]
esg.security.common.SOAPServiceClient: <?xml
version="1.0"
encoding="UTF-8"?><soap11:Envelope
xmlns:soap11="<a moz-do-not-send="true"
href="http://schemas.xmlsoap.org/soap/envelope/">http://schemas.xmlsoap.org/soap/envelope/</a>"></div>
<div> <soap11:Body></div>
<div> <saml2p:Response
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
ID="543c8eb4-1958-4f90-b763-e00aadc9249d"
InResponseTo="63c0c153-a6dc-42d7-9b50-30801c9f3d57"
IssueInstant="2012-08-02T18:21:03.528Z"
Version="2.0"></div>
<div> <saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">ESGF
Attribute Service</saml2:Issuer></div>
<div> <saml2p:Status></div>
<div> <saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></div>
<div> </saml2p:Status></div>
<div> <saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="51ca7a30-42a4-4af5-b704-275e4cc5b91d"
IssueInstant="2012-08-02T18:21:03.531Z"
Version="2.0"></div>
<div> <saml2:Issuer
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">ESGF
Attribute Service</saml2:Issuer></div>
<div> <saml2:Subject></div>
<div> <saml2:NameID
Format="urn:esg:openid"><b><a
moz-do-not-send="true"
href="https://pcmdi9.llnl.gov/esgf-idp/openid/lucacinquini">https://pcmdi9.llnl.gov/esgf-idp/openid/lucacinquini</a></b></saml2:NameID></div>
<div> </saml2:Subject></div>
<div> <saml2:Conditions
NotBefore="2012-08-02T18:21:03.531Z"
NotOnOrAfter="2012-08-03T18:21:03.531Z"/></div>
<div> <saml2:AttributeStatement></div>
<div> <saml2:Attribute Name="<b>CMIP5
Research</b>" NameFormat="<a
moz-do-not-send="true"
href="http://www.w3.org/2001/XMLSchema#string">http://www.w3.org/2001/XMLSchema#string</a>"></div>
<div> <saml2:AttributeValue
xmlns:xs="<a moz-do-not-send="true"
href="http://www.w3.org/2001/XMLSchema">http://www.w3.org/2001/XMLSchema</a>"
xmlns:xsi="<a moz-do-not-send="true"
href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>"
xsi:type="xs:string"><b>user</b></saml2:AttributeValue></div>
<div> </saml2:Attribute></div>
<div> </saml2:AttributeStatement></div>
<div> </saml2:Assertion></div>
<div> </saml2p:Response></div>
<div> </soap11:Body></div>
<div></soap11:Envelope></div>
<div><br>
</div>
<div>=========================================================================================</div>
<blockquote type="cite">
<div><br>
<br>
<br>
On 8/1/2012 9:36 AM, Karl Taylor wrote:<br>
<blockquote type="cite">Hi Nate,<br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">Even with a pcmdi9
openid, I get this error:<br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">so something is not
quite right yet.<br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">thanks,<br>
</blockquote>
<blockquote type="cite">Karl<br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">On 8/1/12 7:52 AM,
Cinquini, Luca (3880) wrote:<br>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">Hi Nate,<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span
class="Apple-tab-span"
style="white-space:pre"></span>thanks,
this is a good step forward. I noticed the
following though:<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">o The authorization
system on the TDS server still doesn't
seem to be compatible with P2P - I got an
"Access Denied" when trying to download a
file with my CMIP5-enabled pcmdi9 openid.<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">o Is there any plan
to support authentication with any P2P
openid, not just pcmdi9 ?<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">thanks, Luca<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">On Jul 31, 2012, at
2:16 PM, Nathan Wilhelmi wrote:<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">Hello,<br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">To follow up from
the last telco, PCMDI9 OpenID's can now
be used at the<br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">NCAR site.<br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">Thanks!<br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">-Nate<br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">_______________________________________________<br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">GO-ESSP-TECH
mailing list<br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><a
moz-do-not-send="true"
href="mailto:GO-ESSP-TECH@ucar.edu">GO-ESSP-TECH@ucar.edu</a><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><a
moz-do-not-send="true"
href="http://mailman.ucar.edu/mailman/listinfo/go-essp-tech">http://mailman.ucar.edu/mailman/listinfo/go-essp-tech</a><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">_______________________________________________<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">GO-ESSP-TECH mailing
list<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><a
moz-do-not-send="true"
href="mailto:GO-ESSP-TECH@ucar.edu">GO-ESSP-TECH@ucar.edu</a><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><a
moz-do-not-send="true"
href="http://mailman.ucar.edu/mailman/listinfo/go-essp-tech">http://mailman.ucar.edu/mailman/listinfo/go-essp-tech</a><br>
</blockquote>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">_______________________________________________<br>
</blockquote>
<blockquote type="cite">GO-ESSP-TECH mailing
list<br>
</blockquote>
<blockquote type="cite"><a
moz-do-not-send="true"
href="mailto:GO-ESSP-TECH@ucar.edu">GO-ESSP-TECH@ucar.edu</a><br>
</blockquote>
<blockquote type="cite"><a
moz-do-not-send="true"
href="http://mailman.ucar.edu/mailman/listinfo/go-essp-tech">http://mailman.ucar.edu/mailman/listinfo/go-essp-tech</a><br>
</blockquote>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
GO-ESSP-TECH mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:GO-ESSP-TECH@ucar.edu">GO-ESSP-TECH@ucar.edu</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://mailman.ucar.edu/mailman/listinfo/go-essp-tech">http://mailman.ucar.edu/mailman/listinfo/go-essp-tech</a>
</pre>
</blockquote>
<br>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>