Skip to content

ESGF_Openid_Relying_Party

Jump to bottom Edit New page
Stephen Pascoe edited this page Apr 9, 2014 · 6 revisions
Wiki Reorganisation
This page has been classified for reorganisation. It has been given the category MOVE.
The content of this page will be revised and moved to one or more other pages in the new wiki structure.

ESGF Openid Relying Party (ORP)

The ESGF Openid Relying Party or ORP is a web application deployed on an ESGF Node that is responsible for relying authentication and registration requests to the appropriate ESGF Security Services. The ORP works in conjunction with the access control filters deployed in front of a data server (for example, the Thredds Data Server): the access control filters intercept and validate the data request, and redirect the client to the appropriate ORP pages in case the request did not validate successfully.

An ORP exposes two endpoints (with corresponding user interfaces) that can be accessed by clients:

  • The Authentication endpoint is a URL that is used to establish proper user authentication.

    • If the client request to the authentication endpoint includes a valid X509 certificate, the ORP will establish an authentication cookie and redirect the client to the original requested URL
    • Otherwise, the ORP will present an OpenID input page, where the user enters his/hers OpenID and is redirected to the Identity Provider for authentication

  • The Registration endpoint is a URL that presents the user with a list of one or more access control groups that are needed for authorizing the user request. This page is used by the user to submit a registration request to the appropriate ESGF Registration Service.

Whitelisting

When deployed as part of an ESGF P2P node, the ORP application uses the optional whitelisting configuration to restrict the set of trusted Identity Providers, i.e. to only accept user openids that are issued by the explicitly configured IdPs . Specifically, the list of trusted IdPs is assembled from two files:

  • /etc/config/esgf_idp.xml : contains the list of IdPs for all the nodes in the current peer group. This list is automatically generated by the node manager, and is continuously updated to reflect the most up to date status of the federation.

  • /etc/config/esgf_idp_static.xml : contains a static list of external IdPs that are not associated with any P2P node, but are nevertheless trusted. This file is meant to be edited and maintained by the node administrator.

Add a custom footer
Add a custom sidebar
Clone this wiki locally