Changes between Initial Version and Version 1 of SecurityTeam/CredentialsTransferInterface


Ignore:
Timestamp:
03/07/06 12:11:58 (13 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • SecurityTeam/CredentialsTransferInterface

    v1 v1  
     1== Credentials Transfer Interface == 
     2 
     3= Objective = 
     4Describe the interface between 
     5 * data provider requesting user credentials (the requester) 
     6 * user's home login page (provider) 
     7 
     8== Data Provider == 
     9 * Calls it's local Attribute Authority to get a list of trusted hosts and their associated login URIs. 
     10 * loginURI is a new field added to each trusted host entry in the mapping configuration see [http://proj.badc.rl.ac.uk/ndg/browser/TI12-security/tags/stable-TI12-security-v0.71-ALPHA/python/conf/mapConfig.xml] 
     11 * The list can be displayed to the user as a droplist on a form 
     12 * When the user submits, the login page is accessed but with the additional form field argument "returnURI=..." 
     13 * returnURI is set to the URI of the current page so that this page can be returned when the credentials have been retrieved from the user's home site. 
     14 * When the home site returns the browser back to the data provider page, the cookie credentials will be set in the URI: 
     15    * NDG-ID1 - user's session ID 
     16    * NDG-ID2 - encrypted URI for Session Manager holding the user's session 
     17 
     18 * The data provider's server side scripting must reads these two fields and put them in a new security cookie in the data providers domain 
     19 
     20== Home Site Login == 
     21 * This page must be some kind of server side script 
     22 * It must support HTTPS 
     23 * If it receives a request with the field "returnURI=...", then it has received a request for credentials to be redirected back to a data provider URI 
     24 * It checks for a current NDG security cookie.  If set, it parses and returns the content back to returnURI with the arguments NDG-ID1 and NDG-ID2 set. 
     25 * If no cookie is set, it displays the login page. 
     26 * User logs in and the local session manager is called 
     27 * Session Manager creates a new session and returns a cookie to the login page. 
     28 * Login page sets the cookie and parse the content and returns back to the data provider with NDG-ID1 and NDG-ID2 arguments set as before.