Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

The trust router's trusts.cfg file is in JSON format, and for processing and automation reasons, the format generated by the Moonshot portal lists each delimiter (square and curly brackets) on a separate lines.

This page is designed to make the file easier to read and understand. 

 

The top level

The top level of the trusts.cfg file defines three collections of entities, which are the communities in this trust infrastructure, the Identity Provider (IdP) realms and the Relying Party (RP) clients. The latter collection generally defines the organisations that are part of the infrastructure, because organisations will generally use one set of credentials for all their relying parties.

The top level
{
  "communities": [ {community}, {community}, ... ],
  "idp_realms": [ {idp_realm1}, {idp_realm2}, ... ],
  "rp_clients": [ {rp_client1}, {rp_client2}, ... ]
}

 

Communities

The communities collection contains the communities in this trust infrastructure. There is always a minimum of one community in a trust infrastructure, the Authentication Policy Community (APC). It is the over-arching community that includes all Relying Parties and Identity Providers. It is worth noting here that all realms in the idp_realms collection are also part of the rp_realms collection, as all identity providers are relying parties, but not all relying parties will be identity providers.

community
{
  "apcs": [ "apc" | empty ],
  "community_id": "name of the community",
  "idp_realms": [ "idp_realm1", "idp_realm2", ... ],
  "rp_realms": [ "rp_realm1", "rp_realm2", ... ],
  "type": "apc" | "coi"
}
  • The community ID, community_id, must be in FQDN format, i.e. apc.moonshot.ja.net, or csc.communities.moonshot.ja.net
  • The APC community has an empty apcs field, and its type field is "apc" 
  • Communities of interest (COI) will set the apcs field to "apc" and their type field to "coi" 

 

Identity Provider realms

The identity provider realms collection, idp_realms, contains a collection of entries that define the identity realms available in this trust infrastructure. This realm collection will include the APC as well since the APC is not just a collection, but also the identity provider for all the relying parties in the trust infrastructure. Each identity provider realm uses the below format:

idp_realm
{
  "aaa_servers": [ "rp_realm1", "rp_realm2", ... ],
  "apcs": [ "apc" ],
  "realm_id": "realm_id",
  "shared_config": "yes" | "no"
}
  • The aaa_servers entry must contain one or more rp_realm entries that belong to the organisation that owns (or manages) the realm in realm_id

    Currently only one aaa_servers entry is supported.

  • The realm_id must be listed in the idp_realms list of at least one community, the APC. You may add it to other communities as well.

 

Relying Party clients

The relying party clients collection, rp_clients, contains a collection of entries that define the relying party clients available in this trust infrastructure. Relying party clients are bundled together by credential, to that the credentials in the gss_names collection apply to all clients in the filter_lines collection of the rp_client entry. Each identity provider realm uses the below format:

rp_client
{
  "gss_names": [ "gss_name1", "gss_name2", ... ],
  "filter": { 
      "type": "rp_permitted", 
      "filter_lines": [ {filter1}, {filter2}, ... ] 
  }
}
  • The gss_names entries are the accepted APC credentials for this rp_client. 
  • The filter_lines entries will be rp_realm entries that 

 

 

 

 

  • No labels