Changes between Version 9 and Version 10 of T12_Security/ESG/SecuringOPeNDAP


Ignore:
Timestamp:
25/01/10 15:47:38 (9 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • T12_Security/ESG/SecuringOPeNDAP

    v9 v10  
    55The User Agent makes a request to the OPeNDAP service.  This is intercepted by the Session Handler.  This checks with the authorisation handler to see if the requested URI is a secured one.  This is the case, so the Session Handler then checks to see if the user has a valid session cookie.  The user does not so they are returned a redirect request to redirect them to the Authentication Handler.   
    66 
    7 The Authentication Handler is hosted on a separate BADC node.  (This consists of an OpenID Relying Party interface fronted with a filter to perform SSL client authentication if a client certificate is submitted).  The handler receives the request over HTTPS and checks for a client certificate in the SSL handshake.  If none is provided, the handler returns a HTTP 401 Unauthorised response but this also contains OpenID Relying Party interface.  If the User Agent is a browser, the user can intervene and enter their OpenID URL and proceed with OpenID based sign in.  In this case though, on receipt of the HTTP 401 Unauthorised response, the agent re-invokes the URL but this time passing a client certificate.  For ESG, to enable compatibility between OpenID and certificate based authentication, the certificate contains the users OpenID URL embedded in a certificate extension.  This extension is a SAML assertion. 
     7The Authentication Handling filters are hosted as a separate BADC service running over SSL but in the same domain.  (This consists of an OpenID Relying Party interface fronted with a filter to perform SSL client authentication if a client certificate is submitted).  The handler receives the request over HTTPS and checks for a client certificate in the SSL handshake.  If none is provided, the handler returns a HTTP 401 Unauthorised response but this also contains OpenID Relying Party interface.  If the User Agent is a browser, the user can intervene and enter their OpenID URL and proceed with OpenID based sign in.  In this case though, on receipt of the HTTP 401 Unauthorised response, the agent re-invokes the URL but this time passing a client certificate.  For ESG, to enable compatibility between OpenID and certificate based authentication, the certificate contains the users OpenID URL embedded in a certificate extension.  This extension is a SAML assertion. 
    88 
    99The Authentication Handler, checks for a client certificate passed, and if present, authenticates based on this certificate.  The certificate is accepted and the agent is returned a redirect response containing a session cookie.  The agent invokes this redirect back to the original OPeNDAP URI it requested.  This time, the Session Handler receives the request and finds a session cookie confirming the user has previously authenticated.  It then passes the request to the Authorisation Handler.