wiki:ESGF

Version 14 (modified by pjkersha, 9 years ago) (diff)

--

Security / ESGF

Security Architecture for the Earth System Grid Federation

This page covers collaboration work carried out by the BADC with the ESGF partner organisations for the ESGF to develop an architecture for federated identity management and access control.

Architectural Overview

The ESG architecture is divided into two top-level components, a Gateway and Data Node. In security terms, the Gateway performs the function of Identity Provider and administrator and controller of authorisation policy. The Data Node in the Service or Resource Provider. It serves data and hosts security components to protect access. It delegates authorisation policy to its associated Gateway. There may be a one to many relationship - Gateway => Data Node(s).

source:TI12-security/trunk/NDGSecurity/documentation/ESGF/ESGSecurityOverview.png

Authentication

The Earth System Grid security architecture supports OpenID and PKI based authentication for services. For OPeNDAP based services like TDS, the server side is configured with a filter which intercepts requests and applies these authentication schemes. OpenID based authentication is suited to interactive login with a browser, whilst PKI based authentication is more suited to non-user interactive clients such as scripts or other programs.

PKI Based Authentication

The diagram below shows the interactions in a sequence. URIs requiring authentication return a redirect response to the client prompting the client to submit a certificate in an SSL handshake with an Authentication Service running under HTTPS. On successful, login a redirect response from the authentication serivce returns the client to the original request URI so that the resource may be accessed or further prior authorisation policy applied:

source:TI12-security/trunk/NDGSecurity/documentation/ESGF/OPeNDAPSSLAuthentication.png

OpenID Based Authentication

This diagram show how OpenID based authentication can be offered alongside PKI based authentication using the same configuration and endpoints. The server is agnostic to the client's authentication request type. If a certificate is passed in the SSL handshake, then this method is used, if not then the default is OpenID based sign in:

source:TI12-security/trunk/NDGSecurity/documentation/ESGF/OpenIDWithSSLBasedRelyingParty.png