[Go-essp-tech] PCMDI9 OpenId's trusted at NCAR
Nathan Hook
nhook at ucar.edu
Thu Aug 2 09:13:37 MDT 2012
Hi Karl and Luca,
To be clear authentication (authN) is working, the error that you're
both seeing is an authorization (authZ) issue.
When we make a request to the saml attribute service at pcmdi9
(https://pcmdi9.llnl.gov/esgf-idp/saml/soap/secure/attributeService.htm)
we always get an attribute response that has a user's first name, last
name, and email, but no listing of groups to which that user belongs.
We have tried the following openids in the saml attribute request:
https://pcmdi9.llnl.gov/esgf-idp/openid/nathanhook
https://www.earthsystemgrid.org/myopenid/nhook
https://pcmdi9.llnl.gov/esgf-idp/openid/lucacinquini
https://pcmdi3.llnl.gov/esgcet/myopenid/oscar.nienhouse
https://pcmdi9.llnl.gov/esgf-idp/openid/taylor13
Since we're not getting back any group information from the saml
requests, our system seems to be doing the correct behavior (denying
access) at this time.
Is there a different way that we should be authorizing a user's access
to cmip5 data?
FYI, I was able to download data directly from
http://pcmdi9.llnl.gov/esgf-web-fe/ with both my pcmdi9 and
www.earthsystemgrid.org openids without having to request access to the
cmipi5 group. Has group registration been turned off or is group
registration no longer required to access cmip5 data?
Thank you for your time.
Warm Regards,
Nathan H.
PS: We also tried all the above openids against the attribute service
at pcmdi7
(https://pcmdi7.llnl.gov/esgf-security/saml/soap/secure/attributeService.htm).
All the pcmdi9 openids returned an UnknownPrincipal response, while
the www.earthsystemgrid.org and pcmdi3 openids returned appropriate
group information.
On 8/1/2012 9:36 AM, Karl Taylor wrote:
> Hi Nate,
>
> Even with a pcmdi9 openid, I get this error:
>
>
> so something is not quite right yet.
>
> thanks,
> Karl
>
>
> On 8/1/12 7:52 AM, Cinquini, Luca (3880) wrote:
>> Hi Nate,
>> thanks, this is a good step forward. I noticed the following though:
>>
>> o The authorization system on the TDS server still doesn't seem to be compatible with P2P - I got an "Access Denied" when trying to download a file with my CMIP5-enabled pcmdi9 openid.
>>
>> o Is there any plan to support authentication with any P2P openid, not just pcmdi9 ?
>>
>> thanks, Luca
>>
>> On Jul 31, 2012, at 2:16 PM, Nathan Wilhelmi wrote:
>>
>>> Hello,
>>>
>>> To follow up from the last telco, PCMDI9 OpenID's can now be used at the
>>> NCAR site.
>>>
>>> Thanks!
>>> -Nate
>>> _______________________________________________
>>> GO-ESSP-TECH mailing list
>>> GO-ESSP-TECH at ucar.edu
>>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>> _______________________________________________
>> GO-ESSP-TECH mailing list
>> GO-ESSP-TECH at ucar.edu
>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>
>
>
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
More information about the GO-ESSP-TECH
mailing list