authentication
TRANSCRIPT
![Page 1: Authentication](https://reader031.vdocument.in/reader031/viewer/2022012213/61df63c6457858400b3cbae9/html5/thumbnails/1.jpg)
Introduction First answer Solution Demo Future Conclusion
Authentication
Shih, A. Haigron, R. Le Sidaner, P.
IVOA Interop, Shanghai 14-17/05/2017
![Page 2: Authentication](https://reader031.vdocument.in/reader031/viewer/2022012213/61df63c6457858400b3cbae9/html5/thumbnails/2.jpg)
Introduction First answer Solution Demo Future Conclusion
Authentication
Why we need it. . . in Open Data
For proprietary period.To use VO infrastructure before publishing.To use VO resources (like computing node, storage, etc.)on demand.To prepare publishing large project.etc.
![Page 3: Authentication](https://reader031.vdocument.in/reader031/viewer/2022012213/61df63c6457858400b3cbae9/html5/thumbnails/3.jpg)
Introduction First answer Solution Demo Future Conclusion
Requirements
What we need
Don’t want to manage people.Ability to authenticate non web application likessh/rsync also Aladin Topcat.Ability to authenticate existent applications.Ability to manage easily authorizations.Easy to integrated in new applications and oldapplications.Easy to deploy.Easy to maintain with few manpower.Secure.
![Page 4: Authentication](https://reader031.vdocument.in/reader031/viewer/2022012213/61df63c6457858400b3cbae9/html5/thumbnails/4.jpg)
Introduction First answer Solution Demo Future Conclusion
SSO
How SSO works
![Page 5: Authentication](https://reader031.vdocument.in/reader031/viewer/2022012213/61df63c6457858400b3cbae9/html5/thumbnails/5.jpg)
Introduction First answer Solution Demo Future Conclusion
SSO
Problems
Highly based on http-redirect, don’t work welloutside web-browser.Hard to use on CLI ( ssh, etc.)Lots of implementation : SAML2 (shibboleth), oauth,openid, etc.Complex to very complex to integrate.Don’t integrate authorizations, each application mustmanage it own authorizations, meaning each applicationprovider must implement his own tools.
![Page 6: Authentication](https://reader031.vdocument.in/reader031/viewer/2022012213/61df63c6457858400b3cbae9/html5/thumbnails/6.jpg)
Introduction First answer Solution Demo Future Conclusion
LDAP
WhyUse LDAP for authentication beckoned over ID Federation.LDAP is well documented protocol.All (almost) application can easily to use LDAP asauthentication back-end.Easy to use on CLI.LDAP as « group » notion. Use LDAP group asauthorizations back-end.Easy to centralize.
ButDon’t want to populate the LDAP.Don’t want to manage expiration.
![Page 7: Authentication](https://reader031.vdocument.in/reader031/viewer/2022012213/61df63c6457858400b3cbae9/html5/thumbnails/7.jpg)
Introduction First answer Solution Demo Future Conclusion
LDAP+SSO
Using SSOPopulate a LDAP
![Page 8: Authentication](https://reader031.vdocument.in/reader031/viewer/2022012213/61df63c6457858400b3cbae9/html5/thumbnails/8.jpg)
Introduction First answer Solution Demo Future Conclusion
Prototype
User ask to choose a authentication service (like OrcId,Google, Github, Facebook etc. )
If he don’t have a account, we invite him to create one.
We generate a temporary password and add it to a LDAP
![Page 9: Authentication](https://reader031.vdocument.in/reader031/viewer/2022012213/61df63c6457858400b3cbae9/html5/thumbnails/9.jpg)
Introduction First answer Solution Demo Future Conclusion
Prototype
Use this couple login/password in all your applications.The password is temporary same as the TTL of a cookieany web application.All providers can use this LDAP authentication.
![Page 10: Authentication](https://reader031.vdocument.in/reader031/viewer/2022012213/61df63c6457858400b3cbae9/html5/thumbnails/10.jpg)
Introduction First answer Solution Demo Future Conclusion
Authorizations
Easy to manage authorizationsCreate group (in LDAP) likecn=myapplication, ou=groups, dc=padc,dc=fr, dc=ivoa
Authorizations with memberOf test.For example :
Apache : Require ldap-group myapplicationPam : pam_filter|(member=cn=myapplication,ou=groups,dc=padc,dc=fr,dc=ivoa)sshd : Allowgroups and ldap.conf
![Page 11: Authentication](https://reader031.vdocument.in/reader031/viewer/2022012213/61df63c6457858400b3cbae9/html5/thumbnails/11.jpg)
Introduction First answer Solution Demo Future Conclusion
Using topcat and DaCHS
We have a internal tap server (not open to all internet)http://voparis-jpl.obspm.fr/tap
We don’t want to modify this application.We put a LDAP authenticate proxy in the front of thatserver.
![Page 12: Authentication](https://reader031.vdocument.in/reader031/viewer/2022012213/61df63c6457858400b3cbae9/html5/thumbnails/12.jpg)
Introduction First answer Solution Demo Future Conclusion
Using topcat and DaCHS
Authentication
Password
Login in tap
![Page 13: Authentication](https://reader031.vdocument.in/reader031/viewer/2022012213/61df63c6457858400b3cbae9/html5/thumbnails/13.jpg)
Introduction First answer Solution Demo Future Conclusion
Using topcat and DaCHS
Select
Select
Display
![Page 14: Authentication](https://reader031.vdocument.in/reader031/viewer/2022012213/61df63c6457858400b3cbae9/html5/thumbnails/14.jpg)
Introduction First answer Solution Demo Future Conclusion
The future
Accounts convergences :Peoples who have multiple accountPeoples who change institution.
Create Authorizations service.Delegation by branch in the LDAP.Delegation of the authorizations services.Add SAMLv2 (Shibboleth/Edugain).
![Page 15: Authentication](https://reader031.vdocument.in/reader031/viewer/2022012213/61df63c6457858400b3cbae9/html5/thumbnails/15.jpg)
Introduction First answer Solution Demo Future Conclusion
Conclusion
Do you want to go for that ?separate Authentication between federation andapplicationuse LDAP as it’s ready made for authenticationhave a centralised Authorisation system with delegation
Then make convergence and delegation for next interop ?