... | ... | @@ -2,13 +2,13 @@ |
|
|
|
|
|
![B2ACCESS integration - sequence diagram](https://raw.githubusercontent.com/wiki/EUDAT-B2SAFE/B2SAFE-core/eudat_aai-b2safe_sequence.png)
|
|
|
|
|
|
1a) Authorization scripts, scheduled periodically, fetches the user attributes from Unity (B2ACCESS),
|
|
|
1a) Authorization scripts, scheduled periodically, fetches the user attributes from Unity ([B2ACCESS](https://eudat.eu/services/b2access)),
|
|
|
via REST admin interface, providing username/password. It gets the attributes of all the registered users.
|
|
|
In particular it gets the unique id associated to each user which, combined with the EUDAT CA distinguished name and
|
|
|
the username, will form the distinguished name of any X.509 SLC (Short Living Credential) token released for that user. The attributes are stored in a local cache, implemented by a json file.
|
|
|
the username, will form the distinguished name of any [X.509](https://www.itu.int/rec/T-REC-X.509) SLC (Short Lived Credential) token released for that user. The attributes are stored in a local cache, implemented by a json file.
|
|
|
2a) The same set of authorization scripts synchronize periodically the local cache with the B2SAFE service, which associates the Global DN to the local iRODS username.
|
|
|
|
|
|
1b) The user from her browser initiates the flow via the Web portal to request a resource (x.509 slc),
|
|
|
1b) The user from her browser initiates the flow via the Web portal to request a resource (X.509 SLC),
|
|
|
2) she doesn't have an access token and she is not authenticated, therefore request for an access token from oauth-as (B2ACCESS) through the Web portal,
|
|
|
3) since she is not authenticated, she is redirected to her external IDP (IDentity Provider) via Unity (goes
|
|
|
through [SAML](https://www.oasis-open.org/standards#samlv2.0) Web SSO (Single Sign On) sequences),
|
... | ... | |