Changes between Version 6 and Version 7 of T12_Security/ESG/SecuringOPeNDAP


Ignore:
Timestamp:
12/11/09 13:36:49 (10 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • T12_Security/ESG/SecuringOPeNDAP

    v6 v7  
    55The User Agent makes a request to the OPeNDAP service.  This is intercepted by the Session Handler.  This checks with the authorisation handler to see if the requested URI is a secured one.  This is the case, so the Session Handler then checks to see if the user has a valid session cookie.  The user does not so they are returned a redirect request to redirect them to the Authentication Handler.   
    66 
    7 The Authentication Handler is hosted on a separate BADC node.  This consists of an OpenID relying Party interface fronted with a filter to perform SSL client authentication if a client certificate is submitted.  In this case, the handler receives the request over HTTPS and checks for a client certificate in the SSL handshake.  If none is provided, the handler returns a HTTP 401 Unauthorised response but this also contains OpenID Relying Party interface.  If the User Agent is browser, the user can intervene and enter their OpenID URL and proceed with OpenID based sign in.  In this case though, on receipt of the HTTP 401 Unauthorised response, the agent re-invokes the URL but this time passing a client certificate.  For ESG, to enable compatibility with OpenID and certificate based authentication, the certificate contains the users OpenID URL embedded in a certificate extension.  This extension is a SAML assertion. 
     7The Authentication Handler is hosted on a separate BADC node.  (This consists of an OpenID Relying Party interface fronted with a filter to perform SSL client authentication if a client certificate is submitted).  The handler receives the request over HTTPS and checks for a client certificate in the SSL handshake.  If none is provided, the handler returns a HTTP 401 Unauthorised response but this also contains OpenID Relying Party interface.  If the User Agent is a browser, the user can intervene and enter their OpenID URL and proceed with OpenID based sign in.  In this case though, on receipt of the HTTP 401 Unauthorised response, the agent re-invokes the URL but this time passing a client certificate.  For ESG, to enable compatibility between OpenID and certificate based authentication, the certificate contains the users OpenID URL embedded in a certificate extension.  This extension is a SAML assertion. 
    88 
    9 The authentication handler, checks for client certificate passed, and if present, authenticates based on this certificate.  The certificate is accepted and the agent is returned a redirect response containing a session cookie.  The agent invokes this redirect back to the original OPeNDAP URI it requested.  This time, the Session Handler receives the request and finds a session cookie confirming the user has previously authenticated.  It then passes the request to the Authorisation Handler. 
     9The Authentication Handler, checks for a client certificate passed, and if present, authenticates based on this certificate.  The certificate is accepted and the agent is returned a redirect response containing a session cookie.  The agent invokes this redirect back to the original OPeNDAP URI it requested.  This time, the Session Handler receives the request and finds a session cookie confirming the user has previously authenticated.  It then passes the request to the Authorisation Handler. 
    1010 
    11 The Authorisation Handler checks the security policy for the OPeNDAP service to find out which attributes constrain access and which Attribute Service to query to pull user attribute information.  The Attribute Service, in this case is one hosted at PCMDI since the data is secured with an AR5 archive attribute.  The service is queried passing the users OpenID URL.  It returns a response asserting that this user has the AR5 archive attribute.  The Authorisation Handler makes an authorisation decision authorising the user to access the requested OPeNDAP URI.  It allows the user request through to the OPeNDAP application.  This returns a response to the user. 
     11The Authorisation Handler checks the security policy for the OPeNDAP service to find out which attributes constrain access and which Attribute Service to query to pull user attribute information.  The Attribute Service, in this example is one hosted at PCMDI since the data is secured with an AR5 archive attribute.  The service is queried passing the users OpenID URL.  It returns a response asserting that this user has the AR5 archive attribute.  The Authorisation Handler makes an authorisation decision authorising the user to access the requested OPeNDAP URI.  It allows the user request through to the OPeNDAP application.  This returns a response to the user. 
    1212 
    1313[[Image(source:TI12-security/trunk/documentation/esgInteroperabilityForIPCCar5/OPeNDAPAccessControlWithSSLClientAuthentication.png)]]