Difference between revisions of "SOA3 Authentication Service"

From Gcube Wiki
Jump to: navigation, search
(Authentication Process)
(Authentication Process)
Line 43: Line 43:
 
4. If the user is authenticated a successful response is returned to gCube Security Handler, otherwise a fail is returned
 
4. If the user is authenticated a successful response is returned to gCube Security Handler, otherwise a fail is returned
  
Federated Authentication for web portal involves Shibboleth Service Provider integrated with the Portal (see [[Shibboleth and gCube]]), in order to allow IMarine Portal to ''be federated'' to other SAML compliant Identity Providers. In order to allow IMarine registered users to use their identities to access external SAML compliant domains, a Shibboleth Identity Provider should be installed and integrated with IMarine Portal.
+
Federated Authentication for web portal involves Shibboleth Service Provider integrated with the Portal (see [[Shibboleth and gCube]]) and allows IMarine Portal to ''be federated'' to other SAML compliant Identity Providers. In order to allow IMarine registered users to use their identities to access external SAML compliant domains, a Shibboleth Identity Provider should be installed and integrated with IMarine Portal.

Revision as of 12:55, 12 March 2013

Overview

An high level description of SOA3 Authentication Module is given in SOA3 Authentication Module. This section provides a deeper description of the functionalities and the interfaces.


SOA3 Authentication Module


SOA3 Authentication module receives REST messages from the gCube Security Handler (whose implementation is called SOA3 Connector) with the credentials of who sent the request to a certain gCube Service, and authenticates the request. The Credentials accepted by the Authentication Service are:

  • username and password Base64 encoded
  • SAML Assertion ID Base64 encoded

The endpoint of the service is:

http(s)://hostname:port/authService/authenticate

Authentication Process

The authentication process in case of Username/Password is very simple:

1. SOA3 Authentication Service receive a REST Messages with the header:

Authorization BASIC <Base64(Username:Password)>

2. The message is decoded and checked against the user list in the LDAP

3. If the user is authenticated a successful response is returned to gCube Security Handler, otherwise a fail is returned

Federated Authentication for Services is slightly more complex: it requires Shibboleth Service Provider (see Shibboleth and gCube), acting as SAML Consumer installed and integrated with SOA3 Authentication Service (see SOA3 HowTo). The flow is the following:


1. SOA3 Authentication Service receive a REST Messages with the header:

Authorization FED <Base64(AssertionID)>

2. The Assertion ID is decoded and used to get the actual assertion

3. The Assertion is validated and, if required, authorization attributes are retrieved

4. If the user is authenticated a successful response is returned to gCube Security Handler, otherwise a fail is returned

Federated Authentication for web portal involves Shibboleth Service Provider integrated with the Portal (see Shibboleth and gCube) and allows IMarine Portal to be federated to other SAML compliant Identity Providers. In order to allow IMarine registered users to use their identities to access external SAML compliant domains, a Shibboleth Identity Provider should be installed and integrated with IMarine Portal.