Changes between Version 10 and Version 11 of ESGF


Ignore:
Timestamp:
11/10/10 09:53:27 (10 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • ESGF

    v10 v11  
    99 
    1010=== Authentication === 
    11 The Earth System Grid security architecture supports OpenID and PKI based authentication for services.  For OPeNDAP based services like TDS, the server side is configured with a filter which intercepts requests and applies these authentication schemes.  OpenID based authentication is suited to interactive login with a browser, whilst PKI based authentication is more suited to non-user interactive clients such as scripts or other programs.  The diagram below shows the interactions in a sequence.  URIs requiring authentication return a redirect response to the client prompting the client to submit a certificate in an SSL handshake with an Authentication Service running under HTTPS.  On successful, login a redirect response from the authentication serivce returns the client to the original request URI so that the resource may be accessed or further prior authorisation policy applied: 
     11The Earth System Grid security architecture supports OpenID and PKI based authentication for services.  For OPeNDAP based services like TDS, the server side is configured with a filter which intercepts requests and applies these authentication schemes.  OpenID based authentication is suited to interactive login with a browser, whilst PKI based authentication is more suited to non-user interactive clients such as scripts or other programs.   
     12 
     13==== PKI Based Authentication ==== 
     14The diagram below shows the interactions in a sequence.  URIs requiring authentication return a redirect response to the client prompting the client to submit a certificate in an SSL handshake with an Authentication Service running under HTTPS.  On successful, login a redirect response from the authentication serivce returns the client to the original request URI so that the resource may be accessed or further prior authorisation policy applied: 
    1215 
    1316[[Image(source:TI12-security/trunk/NDGSecurity/documentation/ESGF/OPeNDAPSSLAuthentication.png)]] 
    1417 
     18==== OpenID Based Authentication ==== 
     19This diagram show how OpenID based authentication can be offered alongside PKI based authentication using the same configuration and endpoints.  The server is agnostic to the client's authentication request type.  If a certificate is passed in the SSL handshake, then this method is used, if not then the default is OpenID based sign in: 
     20 
     21[[Image(source:TI12-security/trunk/NDGSecurity/documentation/ESGF/OpenIDWithSSLBasedRelyingParty.png)] 
     22