first indico workshop authentication alberto resco pérez 29-27 may 2013 cern
TRANSCRIPT
![Page 1: First Indico Workshop Authentication Alberto Resco Pérez 29-27 May 2013 CERN](https://reader031.vdocument.in/reader031/viewer/2022013004/56649da85503460f94a94ad2/html5/thumbnails/1.jpg)
First Indico Workshop
Authentication Alberto
Resco Pérez
29-27 May 2013 CERN
![Page 2: First Indico Workshop Authentication Alberto Resco Pérez 29-27 May 2013 CERN](https://reader031.vdocument.in/reader031/viewer/2022013004/56649da85503460f94a94ad2/html5/thumbnails/2.jpg)
authenticationWhat is it: Authentication is the act of confirming the truth of an attribute of a datum or entity.
Users needs to authenticate to access private resourcesSupport for different types of authentications
![Page 3: First Indico Workshop Authentication Alberto Resco Pérez 29-27 May 2013 CERN](https://reader031.vdocument.in/reader031/viewer/2022013004/56649da85503460f94a94ad2/html5/thumbnails/3.jpg)
authenticatorsCurrently we support 3 authenticators
• Local• NICE CERN specific• LDAP (developed by Martin
Kuba)
![Page 4: First Indico Workshop Authentication Alberto Resco Pérez 29-27 May 2013 CERN](https://reader031.vdocument.in/reader031/viewer/2022013004/56649da85503460f94a94ad2/html5/thumbnails/4.jpg)
Local AuthenticatorBasic authentication
• Bases in a pair username/password• Capability to create accounts• Stored locally
![Page 5: First Indico Workshop Authentication Alberto Resco Pérez 29-27 May 2013 CERN](https://reader031.vdocument.in/reader031/viewer/2022013004/56649da85503460f94a94ad2/html5/thumbnails/5.jpg)
administration
![Page 7: First Indico Workshop Authentication Alberto Resco Pérez 29-27 May 2013 CERN](https://reader031.vdocument.in/reader031/viewer/2022013004/56649da85503460f94a94ad2/html5/thumbnails/7.jpg)
LocalLogin
![Page 8: First Indico Workshop Authentication Alberto Resco Pérez 29-27 May 2013 CERN](https://reader031.vdocument.in/reader031/viewer/2022013004/56649da85503460f94a94ad2/html5/thumbnails/8.jpg)
LocalCreate an account
![Page 9: First Indico Workshop Authentication Alberto Resco Pérez 29-27 May 2013 CERN](https://reader031.vdocument.in/reader031/viewer/2022013004/56649da85503460f94a94ad2/html5/thumbnails/9.jpg)
LocalEmail confirmation
![Page 10: First Indico Workshop Authentication Alberto Resco Pérez 29-27 May 2013 CERN](https://reader031.vdocument.in/reader031/viewer/2022013004/56649da85503460f94a94ad2/html5/thumbnails/10.jpg)
LocalActivation confirmation
![Page 11: First Indico Workshop Authentication Alberto Resco Pérez 29-27 May 2013 CERN](https://reader031.vdocument.in/reader031/viewer/2022013004/56649da85503460f94a94ad2/html5/thumbnails/11.jpg)
LocalAccount moderation
![Page 12: First Indico Workshop Authentication Alberto Resco Pérez 29-27 May 2013 CERN](https://reader031.vdocument.in/reader031/viewer/2022013004/56649da85503460f94a94ad2/html5/thumbnails/12.jpg)
LocalActivate account
![Page 13: First Indico Workshop Authentication Alberto Resco Pérez 29-27 May 2013 CERN](https://reader031.vdocument.in/reader031/viewer/2022013004/56649da85503460f94a94ad2/html5/thumbnails/13.jpg)
NiceCERN Specific
• Web services to lookup for users and groups
• Single Sign On to login• Sometimes very slow
![Page 14: First Indico Workshop Authentication Alberto Resco Pérez 29-27 May 2013 CERN](https://reader031.vdocument.in/reader031/viewer/2022013004/56649da85503460f94a94ad2/html5/thumbnails/14.jpg)
NiceAuthentication Workflow
SSOLog
in
RedirectLogged in
![Page 15: First Indico Workshop Authentication Alberto Resco Pérez 29-27 May 2013 CERN](https://reader031.vdocument.in/reader031/viewer/2022013004/56649da85503460f94a94ad2/html5/thumbnails/15.jpg)
ldapLDAP is an application protocol for accessing and maintaining distributed directory information services
• Developed by Martin Kuba• Benefit from a centralized directory you
may have in your institution• Indico@CERN: We can get rid of the
webservices
![Page 16: First Indico Workshop Authentication Alberto Resco Pérez 29-27 May 2013 CERN](https://reader031.vdocument.in/reader031/viewer/2022013004/56649da85503460f94a94ad2/html5/thumbnails/16.jpg)
oauthIntroduced in v1.1. Support for Oauth v1.0
• OAuth is an open standard for authorization. • OAuth provides a method for clients to access
server resources on behalf of a resource owner (such as a different client or an end-user).
• It also provides a process for end-users to authorize third-party access to their server resources without sharing their credentials (
![Page 17: First Indico Workshop Authentication Alberto Resco Pérez 29-27 May 2013 CERN](https://reader031.vdocument.in/reader031/viewer/2022013004/56649da85503460f94a94ad2/html5/thumbnails/17.jpg)
Oauth Workflow
![Page 18: First Indico Workshop Authentication Alberto Resco Pérez 29-27 May 2013 CERN](https://reader031.vdocument.in/reader031/viewer/2022013004/56649da85503460f94a94ad2/html5/thumbnails/18.jpg)
Indico mobile workflowAuthentication Workflow
Login
AuthorizeAuthorized
Indico mobile
![Page 19: First Indico Workshop Authentication Alberto Resco Pérez 29-27 May 2013 CERN](https://reader031.vdocument.in/reader031/viewer/2022013004/56649da85503460f94a94ad2/html5/thumbnails/19.jpg)
Oauth: AdministrationList of consumers
![Page 20: First Indico Workshop Authentication Alberto Resco Pérez 29-27 May 2013 CERN](https://reader031.vdocument.in/reader031/viewer/2022013004/56649da85503460f94a94ad2/html5/thumbnails/20.jpg)
Oauth: user applicationsList of applications authorized
![Page 21: First Indico Workshop Authentication Alberto Resco Pérez 29-27 May 2013 CERN](https://reader031.vdocument.in/reader031/viewer/2022013004/56649da85503460f94a94ad2/html5/thumbnails/21.jpg)
New auth system
![Page 22: First Indico Workshop Authentication Alberto Resco Pérez 29-27 May 2013 CERN](https://reader031.vdocument.in/reader031/viewer/2022013004/56649da85503460f94a94ad2/html5/thumbnails/22.jpg)
New systemTo be released in v1.2*
• Refactor of the code• Get rid of NICE Authenticator• Easy to add new authenticators• Faster, cache
• SSO capabilities: it would only be a matter of configuration
![Page 23: First Indico Workshop Authentication Alberto Resco Pérez 29-27 May 2013 CERN](https://reader031.vdocument.in/reader031/viewer/2022013004/56649da85503460f94a94ad2/html5/thumbnails/23.jpg)
Basic config
# etc/indico.conf
AuthenticatorList = [(’Local’, {})]
![Page 24: First Indico Workshop Authentication Alberto Resco Pérez 29-27 May 2013 CERN](https://reader031.vdocument.in/reader031/viewer/2022013004/56649da85503460f94a94ad2/html5/thumbnails/24.jpg)
Configure ldap
# etc/indico.conf
AuthenticatorList = [(’LDAP', { 'host': 'cerndc.cern.ch', 'useTLS': False, 'peopleDNQuery': ('cn={0}’,'OU=Users,OU=Organic Units,DC=cern,DC=ch'), 'groupDNQuery': ('cn={0}', 'OU=Workgroups,DC=cern,DC=ch'), 'groupStyle': 'SLAPD’, 'accessCredentials': ('CN=indico,OU=Users,OU=Organic Units,DC=cern,DC=ch',’XXXXXXX’)})]
![Page 25: First Indico Workshop Authentication Alberto Resco Pérez 29-27 May 2013 CERN](https://reader031.vdocument.in/reader031/viewer/2022013004/56649da85503460f94a94ad2/html5/thumbnails/25.jpg)
Enable sso
AuthenticatorList = [('MyAuthSystem', { 'SSOActive': True,
'LogoutCallbackURL': 'https://example.com/wsignout’,
'SSOMapping' = {'email': 'ADFS_EMAIL',
'login': 'ADFS_LOGIN',
'personId': 'ADFS_PERSONID’,
'phone': 'ADFS_PHONENUMBER’,
'fax': 'ADFS_FAXNUMBER',
'lastname': 'ADFS_LASTNAME’,
'firstname': 'ADFS_FIRSTNAME’,
'institute': 'ADFS_HOMEINSTITUTE’}})]