Frequently Asked Questions
Q: What is CARSI?
A: CARSI(Cernet Authentication and Resource Sharing Infrastructure) at Peking University is a one-year project sponsored by CNGI, China Next Generation Infrastructure Plan and a three-year project sponsored by Hi-tech Research and Development Program of China, 863 program, started from Dec, 2006. The project aims to build an authentication and authorization infrastructure for CERNET universities and users so that built web resources can be shared in and beyond CERNET-wide. The basis for this inter-institutional authentication and authorization infrastructure is the unified identity management systems already deployed in candidate universities.
Q: What is CARSI-Fed or CERNET-Fed?
A: CARSI-Fed, also called CERNET-Fed, is a testbed federation of CARSI project. Federation is an important concept in guaranteeing the cross-domain identity trust and the closed resource sharing among universities. CARSI-Fed/Cernet-Fed support Single Sign-On over CERNET, so federation users can leverage their home university’s account to get access to another trusted university’s services. Joining CARSI-Fed/Cernet-Fed will reduce the need for students and staff to maintain multiple accounts to access services in various universities. All CERNET members and other research institutions in china are welcome to join.
Q: Types of CARSI-Fed memberships?
A: You can apply for one of the four CARSI-Fed members: Test-IdP,
Test-SP, Operating-IdP and Operating-SP. IdP and SP are two major
federation elements. IdP is the abbreviation for Identity
Provider. SP is the abbreviation for Service Provider.
• Test-IdP is setup for testing purpose. Test-IdP is not required to provide actually operating university identity management system. Any university can register to be a Test-IDP.
• Test-SP is setup for testing purpose. Any university services can register to be protected by a Test-SP.
• Operating-IdP connects to an operating identity provider of university. It means that the university wishes to act as an IdP to actual members within their university. After that, users managed by the IdP have the right to access shared resources. An university can request to be an operating-IdP.
• Operating-SP protects operating web application(s). It means that an university wishes to offer actual services to federation users. An university can request to be an operating-SP.
Q: How can my university benefit from joining CARSI-Fed/CERNET-Fed? What’s ourobligation?
A: Your university can choose to be an IdP, SP(s) or both to
benefit from CARSI-Fed.
• If you have an operating-IdP, all your actual users upgrade to federation users directly. They can access shared web applications protected by SP that may be your university service and other university’s service. Certainly, the service access is under the control of sp’s access policy.
• If you have an operating-SP, your protected web applications can be extended to allow accessed by all federation users.
Q: What does an Identity Provider (IdP) do?
• Allow SSO, within the institution and federation.
• Maintain user attributes while protecting privacy.
• Know the SPs in the federation, so they only send user attributes to trusted SPs.
• Allow idp administrators and individual users to control the attribute release.
Q: What does a Service Provider (SP) do?
• Protect web applications to only be accessed by federation idp users
• Control access to service (who can access what) based on the attributes received from an IdP, i.e. they implement attribute-based access control.
• Know the IdP in the federation, so they only accept user assertions from trusted IdP.