Changes between Initial Version and Version 1 of T12_Security/ESG/OpenIDLoginAndAR5AuthorizationRequestFormAtIdP

26/08/08 10:34:44 (11 years ago)



  • T12_Security/ESG/OpenIDLoginAndAR5AuthorizationRequestFormAtIdP

    v1 v1  
     3=== OpenID Login and AR5 Authorization Request Form at IdP === 
     5==== Description ==== 
     6Browser based federated access to secured AR5 data and allocation of AR5 access rights to a registered user.  A draft based on Section C 3d) of the Architectural Assumptions document (v0.3) 
     8==== Actors ==== 
     9 * ESG Site serving secured AR5 data 
     10 * BADC User i.e. user belongs to an organisation trusted by the ESG site. 
     11 * BADC site (OpenID Provider where user is registered) 
     12 * Client browser 
     14==== Assumptions ==== 
     15 * user is not logged in to ESG site 
     16 * user doesn't have AR5 authorization 
     17 * control to AR5 data is governed by a federation wide attribute called AR5_ACCESS. 
     19==== Triggers ==== 
     20A user accesses a secured AR5 dataset from the ESG site. 
     22==== Outcome ==== 
     23User is granted authorization to access secured AR5 data from ESG site. 
     25==== Normal Course ==== 
     26 1. The user browses ESG site and selects an AR5 secured dataset 
     27 1. The ESG site blocks access because user is not logged in 
     28 1. The site redirects user to page with form to select the user's OpenID provider 
     29 1. The user enters their BADC OpenID identifier or selects BADC from a list of sites (ID Select mode) 
     30 1. The user's browser is redirected to the BADC.  They login. 
     31 1. The BADC OpenID provider redirects browser back to ESG site passing user authorization attributes in addition to the usual OpenID protocol message response content. 
     32 1. The ESG site checks the user's authorization attributes for the AR5_ACCESS attribute. 
     33 1. AR5_ACCESS is not present 
     34 1. '''ESG site redirects user's browser to the BADC authorization request form.''' 
     35 1. User completes details and submits and awaits a response. 
     36 1. According to the approval criteria, the user is granted or denied the AR5_ACCESS attribute. 
     37 1. If approved, the user's home site (the BADC) updates the user's profile adding AR5_ACCESS to it's list of authorisation attributes. 
     39==== Notes ==== 
     40At point 9) we'd like to present the authorization form so that the user can request the AR5_ACCESS attribute but the authorization request form should be served from the user's home site (the BADC) not the ESG site they're visiting.^*^ 
     42We envisage that the ESG site would know the address of this authorization request page from: 
     43 a. an additional attribute sent by the BADC OpenID provider over the OpenID interface ''or'' 
     44 a. the ESG site keeps a record of the location of an authorization request form URL for each site it trusts in its whitelist.  
     46 * a) is likely to be less error prone because the maintainer of the authorization page sends the URL. 
     47 * SSL could be used to enable the ESG site to check that it is calling a valid BADC URL. 
     49The last step is dependent on the approval method.  If there was immediate approval, a redirect could send the user back to the ESG site to enable them to access the AR5 data.  This is not likely given the approval methods we've looked at are going to involve some delay. 
     51^*^ ''Last ESG-NDG Telecon 24/07/08: Luca expects that between ESG partners the convention will be for the data provider site to host the authorization form.''