Q: What is CARSI federation?
A: CARSI (CERNET Authentication and Resource Sharing Infrastructure) is a cross institution identity authentication and resource sharing project of CERNET (China Education and Research NETwork) focusing on extending campus-wide user identity to federation to visit sharing resources directly and conveniently. At the moment, CARSI federation resources include: library e-resources, university BBS (Bulletin Board System), etc.
Q: What is SP? What is IdP?
A: SP stands for Service Provider that connects applications to Identity Federation. IdP stands for Identity Provider that represents campus-wide identity management system to authenticate users for federation applications. SP and IdP are two separated parts of an identity federation. SP provides services to IdP authenticated users. IdP authenticates users and provides user information to SPs in the form of user attributes. The precondition is SPs and IdPs trust each other. That requires SPs and IdPs to join the same identity federation for example CARSI and share the same CARSI metadata file.
Q: How to join CARSI?
A: There are two forms to join: to be a SP and to be an IdP. Universities can apply to be CARSI IdPs or CARSI SPs. Vendors can apply to be CARSI SPs.
CARSI IdP application steps include: a) to install an IdP package. b) to connect the IdP to a campus-wide identity management system to upgrade local user accounts to federation ones have the permission to visit SPs. c) to provide the IdP metadata to CARSI federation operators. d) to refresh local metadata file with the CARSI official one from www.carsi.edu.cn.
Universities and vendors can apply to be a CARSI SP as following: a) to install a SP package. b) to connect the SP to an application to support CARSI user’s visit. c) to provide the SP metadata to CARSI federation operators. d) to refresh local metadata file with the CARSI official one from www.carsi.edu.cn.
Q: How to protect user’s privacy in CARSI?
A: IdP 3.0 provides the user privacy protection function. After this function is started up, users will get a notification to confirm which personal attributes are permitted to be sent out to which service provider and application in the process of identity authentication to protect the user’s privacy.
Q: Can SP and IdP run on IPv6 network?
A: Yes, and they can run on pure IPv6 as well.