[Go-essp-tech] PCMDI9 OpenId's trusted at NCAR

Nathan Hook nhook at ucar.edu
Thu Aug 2 09:13:37 MDT 2012 

Hi Karl and Luca,

To be clear authentication (authN) is working, the error that you're 
both seeing is an authorization (authZ) issue.

When we make a request to the saml attribute service at pcmdi9 
(https://pcmdi9.llnl.gov/esgf-idp/saml/soap/secure/attributeService.htm) 
we always get an attribute response that has a  user's first name, last 
name, and email, but no listing of groups to which that user belongs.

We have tried the following openids in the saml attribute request:
https://pcmdi9.llnl.gov/esgf-idp/openid/nathanhook
https://www.earthsystemgrid.org/myopenid/nhook
https://pcmdi9.llnl.gov/esgf-idp/openid/lucacinquini
https://pcmdi3.llnl.gov/esgcet/myopenid/oscar.nienhouse
https://pcmdi9.llnl.gov/esgf-idp/openid/taylor13

Since we're not getting back any group information from the saml 
requests, our system seems to be doing the correct behavior (denying 
access) at this time.

Is there a different way that we should be authorizing a user's access 
to cmip5 data?

FYI, I was able to download data directly from 
http://pcmdi9.llnl.gov/esgf-web-fe/ with both my pcmdi9 and 
www.earthsystemgrid.org openids without having to request access to the 
cmipi5 group.  Has group registration been turned off or is group 
registration no longer required to access cmip5 data?

Thank you for your time.

Warm Regards,

Nathan H.


PS:  We also tried all the above openids against the attribute service 
at pcmdi7 
(https://pcmdi7.llnl.gov/esgf-security/saml/soap/secure/attributeService.htm). 
  All the pcmdi9 openids returned an UnknownPrincipal response, while 
the www.earthsystemgrid.org and pcmdi3 openids returned appropriate 
group information.



On 8/1/2012 9:36 AM, Karl Taylor wrote:
> Hi Nate,
>
> Even with a pcmdi9 openid, I get this error:
>
>
> so something is not quite right yet.
>
> thanks,
> Karl
>
>
> On 8/1/12 7:52 AM, Cinquini, Luca (3880) wrote:
>> Hi Nate,
>> 	thanks, this is a good step forward. I noticed the following though:
>>
>> o The authorization system on the TDS server still doesn't seem to be compatible with P2P - I got an "Access Denied" when trying to download a file with my CMIP5-enabled pcmdi9 openid.
>>
>> o Is there any plan to support authentication with any P2P openid, not just pcmdi9 ?
>>
>> thanks, Luca
>>
>> On Jul 31, 2012, at 2:16 PM, Nathan Wilhelmi wrote:
>>
>>> Hello,
>>>
>>> To follow up from the last telco, PCMDI9 OpenID's can now be used at the
>>> NCAR site.
>>>
>>> Thanks!
>>> -Nate
>>> _______________________________________________
>>> GO-ESSP-TECH mailing list
>>> GO-ESSP-TECH at ucar.edu
>>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>> _______________________________________________
>> GO-ESSP-TECH mailing list
>> GO-ESSP-TECH at ucar.edu
>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>
>
>
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech

More information about the GO-ESSP-TECH mailing list