Q: What is CARSI federation?
A: CARSI (CERNET Authentication and Resource Sharing Infrastructure) is a cross institution identity authentication and resource sharing project of CERNET (China Education and Research NETwork) focusing on extending campus-wide user identity to federation to visit sharing resources directly and conveniently. At the moment, CARSI federation resources include: library e-resources, university BBS (Bulletin Board System), etc.
Q: What is SP? What is IdP?
A: SP stands for Service Provider that connects applications to Identity Federation. IdP stands for Identity Provider that represents campus-wide identity management system to authenticate users for federation applications. SP and IdP are two separated parts of an identity federation. SP provides services to IdP authenticated users. IdP authenticates users and provides user information to SPs in the form of user attributes. The precondition is SPs and IdPs trust each other. That requires SPs and IdPs to join the same identity federation for example CARSI and share the same CARSI metadata file.
Q: How to join CARSI?
A: There are two forms to join: to be a SP and to be an IdP. Universities can apply to be CARSI IdPs or CARSI SPs. Vendors can apply to be CARSI SPs.
CARSI IdP application steps include: a) to install an IdP package. b) to connect the IdP to a campus-wide identity management system to upgrade local user accounts to federation ones have the permission to visit SPs. c) to provide the IdP metadata to CARSI federation operators. d) to refresh local metadata file with the CARSI official one from www.carsi.edu.cn.
Universities and vendors can apply to be a CARSI SP as following: a) to install a SP package. b) to connect the SP to an application to support CARSI user’s visit. c) to provide the SP metadata to CARSI federation operators. d) to refresh local metadata file with the CARSI official one from www.carsi.edu.cn.
Q: How to protect user’s privacy in CARSI?
A: IdP 3.0 provides the user privacy protection function. After this function is started up, users will get a notification to confirm which personal attributes are permitted to be sent out to which service provider and application in the process of identity authentication to protect the user’s privacy.
Q: Can SP and IdP run on IPv6 network?
A: Yes, and they can run on pure IPv6 as well.
Q: CARSI History and Today?
A: CARSI project was initiated by Peking Univ. and was started up in CERNET in 2007. In 2010, it developed to more than 30 universities. In 2013, to more than 70 universities. Today, CARSI is in the pilot stage.
Q: What is CARSI user authentication process?
A: In CARSI, user authentication is composed of two parts: user authentication and application visit. Before visiting a service provider and an application, user identity authentication is required. There are two workflows to get this.
a) User authentication before application visit
A user first visits CARSI directory service http://ds.carsi.edu.cn and select his home institution. Then, he types in the username and password in his home IdP login page. After successfully authenticated, the user types in the application url in the browser and is redirected to the service directly without any further authentication.
b) Application visit before user authentication
A user visits a CARSI SP application, for example http://www.ieee.org. Guided by the application, the user selects CERNET CARSI Identity Federation and visits http://ds.carsi.edu.cn or his home institution login page. The user types in his campus-network username and password. After a successful authentication, he can access the application webpage he first visited directly with automatic web page redirection.
Q: What resources are in CARSI?
A: Currently, CARSI resources include more than 20 e-resources from the following publishers, such as THOMSON REUTERS、RSC Publishing、IEEE、nature publishing group、ELSEVIER、EBSCO.
Q: What can I do if my home institution is not in CARSI?
A: Please contact the university central IT department, for example, the Network Center, or the library.
Q: How does CARSI protect my personal privacy?
A: IdP3.x has a function named user personal privacy protection that will notify the user which attributes will be posted and send them out to service providers only after getting permissions.
Q: Can I visit CARSI in IPv6?
A: Yes. CARSI ds, most SPs and IdPs packages can operate in pure IPv6. Some SPs and IdPs not yet.