|
|
![B2ACCESS integration - sequence diagram](https://raw.githubusercontent.com/wiki/EUDAT-B2SAFE/B2SAFE-core/eudat_aai-b2safe_sequence.png) |
|
|
\ No newline at end of file |
|
|
## Authentication process based on the federated identity approach
|
|
|
|
|
|
![B2ACCESS integration - sequence diagram](https://raw.githubusercontent.com/wiki/EUDAT-B2SAFE/B2SAFE-core/eudat_aai-b2safe_sequence.png)
|
|
|
|
|
|
1a) Authorization scripts, scheduled periodically, fetches the user attributes from Unity (B2ACCESS),
|
|
|
via REST admin interface, providing username/password. It gets the attributes of all the registered users.
|
|
|
In particular it gets the unique id associated to each user which, combined with the EUDAT CA distinguished name and
|
|
|
the username, will form the distinguished name of any X.509 SLC (Short Living Credential) token released for that user. The attributes are stored in a local cache, implemented by a json file.
|
|
|
2a) The same set of authorization scripts synchronize periodically the local cache with the B2SAFE service, which associates the Global DN to the local iRODS username.
|
|
|
|
|
|
1b) The user from her browser initiates the flow via the Web portal to request a resource (x.509 slc),
|
|
|
2) she doesn't have an access token and she is not authenticated, therefore request for an access token from oauth-as (B2ACCESS) through the Web portal,
|
|
|
3) since she is not authenticated, she is redirected to her external IDP (IDentity Provider) via Unity (goes
|
|
|
through [SAML](https://www.oasis-open.org/standards#samlv2.0) Web SSO (Single Sign On) sequences),
|
|
|
4) after successfully logged in, oauth-as (B2ACCESS) issues an authorization code to the browser,
|
|
|
5) the browser sends that authorization code to the Web portal,
|
|
|
6) the Web portal uses the authorization code to fetch an access token from the oauth-as on user's behalf,
|
|
|
7) the Web portal sends a request containing the access token and csr to the online CA (Certification Authority),
|
|
|
8) The online CA
|
|
|
> i) validates the token with oauth-as (B2ACCESS),
|
|
|
> ii) query attributes from Unity (B2ACCESS) for the user and receives a SAML assertion with attributes
|
|
|
> iii) embed those attributes into the extension of the signed X.509 SLC token, and
|
|
|
> iv) return it to the Web portal
|
|
|
|
|
|
9) the user downloads the signed X.509 SLC token and through a command line tool like grid-proxy-init generates a personal proxy.
|
|
|
10) With the X.509 proxy just created, she is able to authenticate via GSI mechanism to B2SAFE. |
|
|
\ No newline at end of file |