wiki:SecurityTeam/CredentialsTransferInterface

Version 2 (modified by pjkersha, 13 years ago) (diff)

--

Credentials Transfer Interface

Objective

Describe the interface between

  • data provider requesting user credentials (the requester)
  • user's home login page (provider)

Data Provider

  • Calls it's local Attribute Authority to get a list of trusted hosts and their associated login URIs.
  • loginURI is a new field added to each trusted host entry in the mapping configuration see  http://proj.badc.rl.ac.uk/ndg/browser/TI12-security/tags/stable-TI12-security-v0.71-ALPHA/python/conf/mapConfig.xml
  • The list can be displayed to the user as a droplist on a form
  • When the user submits, the login page is accessed but with the additional form field argument "returnURI=..."
  • returnURI is set to the URI of the current page so that this page can be returned when the credentials have been retrieved from the user's home site.
  • When the home site returns the browser back to the data provider page, the cookie credentials will be set in the URI:
    • NDG-ID1 - user's session ID
    • NDG-ID2 - encrypted URI for Session Manager holding the user's session
  • The data provider's server side scripting must reads these two fields and put them in a new security cookie in the data providers domain

Home Site Login

  • This page must be some kind of server side script
  • It must support HTTPS
  • If it receives a request with the field "returnURI=...", then it has received a request for credentials to be redirected back to a data provider URI
  • It checks for a current NDG security cookie. If set, it parses and returns the content back to returnURI with the arguments NDG-ID1 and NDG-ID2 set.
  • If no cookie is set, it displays the login page.
  • User logs in and the local session manager is called
  • Session Manager creates a new session and returns a cookie to the login page.
  • Login page sets the cookie and parse the content and returns back to the data provider with NDG-ID1 and NDG-ID2 arguments set as before.