Difference between revisions of "DN Based Authentication"
Andrea.manzi (Talk | contribs) (→Introduction) |
Andrea.manzi (Talk | contribs) (→Flow) |
||
| Line 7: | Line 7: | ||
==Flow== | ==Flow== | ||
| − | [[SOA3 Connector]] Client checks if the security header is present in the received SOAP Message: in this case it uses the received information to ask | + | The [[SOA3 Connector]] Client checks if the security header is present in the received SOAP Message: in this case it uses the received information to ask its cache or SOA3 for the authentication (Username/Password, Federation or Ticket). If the security header is not found but the message is sent in HTTPS, the Connector Client checks the Distinguished Name and forwards it to the Connector Server in the Authorization Header of an Authentication Request in the form: |
<code>Authorization DN Base64(Distinguished Name)</code> | <code>Authorization DN Base64(Distinguished Name)</code> | ||
| − | When SOA3 Connector Server receives a DN Authentication Request it looks for | + | When SOA3 Connector Server receives a DN Authentication Request it looks for profiles associated to that DN by applying the following flow: |
* checks its cache | * checks its cache | ||
| Line 18: | Line 18: | ||
* sends a query to the [[User Management Service]] | * sends a query to the [[User Management Service]] | ||
| − | If, after | + | If, after the completed flow, it doesn't find any profile, the Authentication request is rejected, otherwise a ticket is returned. |
Latest revision as of 12:21, 10 December 2013
Contents
Introduction
The SOA3 Connector within gCube can authenticate HTTPS requests by using the Distinguished Name of a X509 Certificate. This DN should be associated to an user or service profile: in the first case the DN is an attribute of an user entry of the infrastructure LDAP, in the second case it is associated with a GHN profile in the Information System.
Flow
The SOA3 Connector Client checks if the security header is present in the received SOAP Message: in this case it uses the received information to ask its cache or SOA3 for the authentication (Username/Password, Federation or Ticket). If the security header is not found but the message is sent in HTTPS, the Connector Client checks the Distinguished Name and forwards it to the Connector Server in the Authorization Header of an Authentication Request in the form:
Authorization DN Base64(Distinguished Name)
When SOA3 Connector Server receives a DN Authentication Request it looks for profiles associated to that DN by applying the following flow:
- checks its cache
- sends a query to the Information System asking for GHNs associated
- sends a query to the User Management Service
If, after the completed flow, it doesn't find any profile, the Authentication request is rejected, otherwise a ticket is returned.
