Changes between Version 13 and Version 14 of proposals/ImprovedSecurityArchitecture


Ignore:
Timestamp:
12/15/10 09:52:25 (14 years ago)
Author:
heikki
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • proposals/ImprovedSecurityArchitecture

    v13 v14  
    210210    * HTTP-POST and HTTP-Redirect bindings
    211211    * Automatic generation of Service Provider metadata
    212     * Configuration of multiple !IDPs
     212    * Configuration of multiple IDPs
    213213
    214214GAAP support for SAML can function in one of the two modes of IDP discovery:
     
    219219SP-initiated flow is to say, the user's Single Sign-On identity is created by the user starting at the GeoNetwork (the Service Provider). GAAP's login form shows a list of all trusted Identity Providers; the user can choose one, and upon submit is redirected to that Identity Provider's login form. After authentication at the Identity Provider the user comes back to GeoNetwork.
    220220
    221 !IDP-initiated flow is when the user has already authenticated with a trusted Identity Provider when doing a request to GeoNetwork; in this case the request carries a SAML Authentication token that is validated by GAAP and if valid, allows the user Single-!SignOn access to GeoNetwork.
    222 
    223 The !AuthNRequest SAML message is sent to the !IDP using either HTTP-POST or HTTP-Redirect binding and the request is stored in the cache for subsequent matching with the response.
     221IDP-initiated flow is when the user has already authenticated with a trusted Identity Provider when doing a request to GeoNetwork; in this case the request carries a SAML Authentication token that is validated by GAAP and if valid, allows the user Single-!SignOn access to GeoNetwork.
     222
     223The AuthNRequest SAML message is sent to the IDP using either HTTP-POST or HTTP-Redirect binding and the request is stored in the cache for subsequent matching with the response.
    224224
    225225All configured IDPs are considered to be members of a single circle of trust.
     
    227227The SAML Single log-out profile is currently not supported, invocation of logout at will only destroy the local session.
    228228
    229 A UML Activity diagram giving a view of how GAAP manages a SP-initiated !WebSSO is:
     229A UML Activity diagram giving a view of how GAAP manages a SP-initiated WebSSO is:
    230230
    231231[[Image(SAMLAuthenticationActivity.png)]]
    232232
     233   1. When the user selects an IDP in GAAP login to validate against it, SAMLEntryPoint sends to the IDP an AuthNRequest SAML message .
     234   2. A SAML response created by the IDP is send to a GAAP URL, monitored by SAMLProcessingFilter that parses the SAML message wrapping it into SAMLAuthenticationToken.
     235   3. The SAMLAuthenticationProvider validates the SAMLAuthenticationToken and
     236   4. If the validation succeeds a Spring !AuthenticationToken is created and the flow continues to create the GAAP !AuthenticationToken as described previously.
     237
     238Because we support SAML 2.0, not SAML 1.1 or earlier, you can only use Shibboleth 2.0, not earlier versions.
    233239
    234240=== Backwards Compatibility Issues ===