Frequently Asked Questions
Q: What is CARSI?
A: CARSI(Cernet Authentication and Resource Sharing Infrastructure) at Peking University is a one-year project sponsored by CNGI, China Next Generation Infrastructure Plan and a three-year project sponsored by Hi-tech Research and Development Program of China, 863 program, started from Dec, 2006. The project aims to build an authentication and authorization infrastructure for CERNET universities and users so that built web resources can be shared in and beyond CERNET-wide. The basis for this inter-institutional authentication and authorization infrastructure is the unified identity management systems already deployed in candidate universities.
Q: What is CARSI-Fed or CERNET-Fed?
A: CARSI-Fed, also called CERNET-Fed, is a testbed federation of CARSI project. Federation is an important concept in guaranteeing the cross-domain identity trust and the closed resource sharing among universities. CARSI-Fed/Cernet-Fed support Single Sign-On over CERNET, so federation users can leverage their home university’s account to get access to another trusted university’s services. Joining CARSI-Fed/Cernet-Fed will reduce the need for students and staff to maintain multiple accounts to access services in various universities. All CERNET members and other research institutions in china are welcome to join.
Q: Types of CARSI-Fed memberships?
A: You can apply for one of the four CARSI-Fed members: Test-IdP,
Test-SP, Operating-IdP and Operating-SP. IdP and SP are two major
federation elements. IdP is the abbreviation for Identity
Provider. SP is the abbreviation for Service Provider.
• Test-IdP
is setup for testing purpose. Test-IdP is not required to provide
actually operating university identity management system. Any
university can register to be a Test-IDP.
• Test-SP is setup for
testing purpose. Any university services can register to be
protected by a Test-SP.
• Operating-IdP connects to an operating
identity provider of university. It means that the university
wishes to act as an IdP to actual members within their university.
After that, users managed by the IdP have the right to access
shared resources. An university can request to be an
operating-IdP.
• Operating-SP protects operating web
application(s). It means that an university wishes to offer actual
services to federation users. An university can request to be an
operating-SP.
Q: How can my university benefit from joining CARSI-Fed/CERNET-Fed? What’s ourobligation?
A: Your university can choose to be an IdP, SP(s) or both to
benefit from CARSI-Fed.
• If you have an operating-IdP, all your
actual users upgrade to federation users directly. They can access
shared web applications protected by SP that may be your
university service and other university’s service. Certainly, the
service access is under the control of sp’s access policy.
• If
you have an operating-SP, your protected web applications can be
extended to allow accessed by all federation users.
Q: What does an Identity Provider (IdP) do?
A:
• Allow SSO, within the institution and federation.
• Maintain
user attributes while protecting privacy.
• Know the SPs in the
federation, so they only send user attributes to trusted SPs.
•
Allow idp administrators and individual users to control the
attribute release.
Q: What does a Service Provider (SP) do?
A:
• Protect web applications to only be accessed by federation
idp users
• Control access to service (who can access what) based
on the attributes received from an IdP, i.e. they implement
attribute-based access control.
• Know the IdP in the federation,
so they only accept user assertions from trusted IdP.