DN Based Authentication

From Gcube Wiki
Revision as of 11:17, 25 October 2013 by Ciro.formisano (Talk | contribs) (Introduction)

Jump to: navigation, search

Introduction

SOA3 Connector with gCube can authenticate HTTPS requests by using the Distinguished Name of the X509 Certificate. This DN should be associated to an user or service profile: in the first case the DN is an attribute of an user entry of iMarine user LDAP, in the second case it is associated with a GHN profile in the Information System.

Distinguished Name Based Authentication

Flow

SOA3 Connector Client checks if the security header is present in the received SOAP Message: in this case it uses the received information to ask is cache or SOA3 for the authentication in the way described in other pages (Username/Password, Federation or Ticket). If the security header is not found but the message is sent in HTTPS, the Connector Client checks the Distinguished Name and forwards it to the Connector Server in the Authorization Header of an Authentication Request in the form:

Authorization DN Base64(Distinguished Name)


When SOA3 Connector Server receives a DN Authentication Request it looks for profile associated to that DN by applying the following flow:

  • checks its cache
  • sends a query to the Information System asking for GHNs associated
  • sends a query to the User Management Service

If, after completed the flow, it doesn't find any profile, the Authentication request is rejected, otherwise a ticket is returned.