Authentication process based on the federated identity approach
1a) Authorization scripts, scheduled periodically, fetches the user attributes from Unity (B2ACCESS),
via REST admin interface, providing username/password. It gets the attributes of all the registered users.
In particular it gets the unique id associated to each user which, combined with the EUDAT CA distinguished name and the username, will form the distinguished name of any X.509 SLC (Short Lived Credential) token released for that user. The attributes are stored in a local cache, implemented by a json file.
2a) The same set of authorization scripts synchronize periodically the local cache with the B2SAFE service, which associates the Global DN to the local iRODS username.
1b) The user from her browser initiates the flow via the Web portal to request a resource (X.509 SLC),
2) she doesn't have an access token and she is not authenticated, therefore request for an access token from oauth-as (B2ACCESS) through the Web portal,
3) since she is not authenticated, she is redirected to her external IDP (IDentity Provider) via Unity (goes through SAML Web SSO (Single Sign On) sequences),
4) after successfully logged in, oauth-as (B2ACCESS) issues an authorization code to the browser,
5) the browser sends that authorization code to the Web portal,
6) the Web portal uses the authorization code to fetch an access token from the oauth-as on user's behalf,
7) the Web portal sends a request containing the access token and csr to the online CA (Certification Authority),
8) The online CA
i) validates the token with oauth-as (B2ACCESS),
ii) query attributes from Unity (B2ACCESS) for the user and receives a SAML assertion with attributes
iii) embed those attributes into the extension of the signed X.509 SLC token, and
iv) return it to the Web portal
- the user downloads the signed X.509 SLC token and through a command line tool like grid-proxy-init generates a personal proxy.
- With the X.509 proxy just created, she is able to authenticate via GSI mechanism to B2SAFE.