Federated Domain Deployment

This part of the tutorial demonstrates the Federated Domain Deployment scenario:

In the Federated-Domain Deployment scenario Client Organisation wants to control access for large numbers of users accessing services of a Service Provider managed by certain Service Level Agreements (SLAs). GRIA Client Management package allows to split all users at the Client Organisation into groups and assign SLAs to groups instead of each user individually.

You should install the client management package locally. To do this follow these steps:

1. Download the GRIA Client Management package from the downloads page.
2. Follow the Client Management Service installation instructions.
3. When configuring the Service make yourself a manager by adding both yours and the Certificate Authority (CA) certificates to the manager role rule. If your keystore was generated by the GRIA Client then these two will be the same (your certificate is self-signed and you are your own CA):
   
4. To export your certificate from the Client-generated keystore:
   
   Make sure to export Head Certificate that is PEM Encoded:
   
   
   Click OK. Save the certificate as my-cert.crt on your computer. Use this file when setting the manager role.
5. Read GRIA Demo CA Certificate Policy and download GRIA Demo CA Certificate. By downloading the certificate you confirm that you agree to the terms of the GRIA Demo CA Certificate Policy.
6. Using Keytool GUI import the GRIA Demo CA certificate you just downloaded into the server keystore of your Client Management Service:
   
7. Click OK in all appearing dialog boxes and Yes when asked to confirm the certificate as trusted:
   
8. Save the keystore when finished and restart your server:
   

You are now ready to use the Client Membership Service to control access to Basic Application Services managed by SLA Service on graidemo2:

1. Add the Membership Service either by dragging its WSDL link into the Client:
   
2. or by specifying the URL directly by going to Services menu and then Add a Service:


3. Create new membership groups using the GRIA client, by right-clicking on the MembershipService and choosing Create group from the menu:
   
4. Add Basic Application Service, SLA and Trade Account Service into the Client (if they are not already there) using these links:
   • https://griademo2.it-innovation.soton.ac.uk/gria-basic-app-services/services/JobService?wsdl
   • https://griademo2.it-innovation.soton.ac.uk/gria-basic-app-services/services/DataService?wsdl
   • https://griademo2.it-innovation.soton.ac.uk/gria-service-provider-mgt/services/TradeAccountService?wsdl
   • https://griademo2.it-innovation.soton.ac.uk/gria-service-provider-mgt/services/SLAService?wsdl
   
5. Drag the SLA you created on the griademo2 service to a group to give all members of the group access to the resource:
   
6. You will be prompted to select the role they should be given, choose "user":
   
7. When you do this, the access policy on the SLA is updated so that anyone with a token from the membership group has the specified role:
   
8. Add another user in your organisation to the membership group, using the Access Control tab:
   
   You can use the Client to create a new keystore with the other user's identity in it as described in the second section. Export the other user's certificate (see above) and use it to add that user to the Group 1 as member.
9. The other user can now add the membership service to their client and discover the group. Then should choose Set as default group from the menu. Every message they send will now include a SAML token asserting their membership of this group:
   
10. This user should then be able to discover and use the SLA, and use it to store data and run jobs according to the SLA, as before.
    

You can also use the registry service to keep track of remote resources, so that users don't have to add each service to their client manually.

See the client management package's documentation for more information about using these services.