DN Based Authentication

From Gcube Wiki
Jump to: navigation, search

Introduction

The SOA3 Connector within gCube can authenticate HTTPS requests by using the Distinguished Name of a X509 Certificate. This DN should be associated to an user or service profile: in the first case the DN is an attribute of an user entry of the infrastructure LDAP, in the second case it is associated with a GHN profile in the Information System.

Distinguished Name Based Authentication

Flow

The SOA3 Connector Client checks if the security header is present in the received SOAP Message: in this case it uses the received information to ask its cache or SOA3 for the authentication (Username/Password, Federation or Ticket). If the security header is not found but the message is sent in HTTPS, the Connector Client checks the Distinguished Name and forwards it to the Connector Server in the Authorization Header of an Authentication Request in the form:

Authorization DN Base64(Distinguished Name)


When SOA3 Connector Server receives a DN Authentication Request it looks for profiles associated to that DN by applying the following flow:

  • checks its cache
  • sends a query to the Information System asking for GHNs associated
  • sends a query to the User Management Service

If, after the completed flow, it doesn't find any profile, the Authentication request is rejected, otherwise a ticket is returned.