Design 1.2

Use Cases

Authenticate Local User

This use case describes the process by which the grid user is authenticated against a local authentication system and the attributes of the user are returned.

Actors

1. Grid User
2. Local Authentication System

Pre-Conditions

None

Basic Flow

1. Grid User provides basic credentials: user name and password.
2. Local Authentication System determines that user name and password are valid.
3. Local Authentication System returns user attributes.

Post-Conditions:

The system has obtained the attributes of the grid user.

Alternate Course 1

1. Step 1 of Basic Flow.
2. Local Authentication System determines that user name and password are not valid.
3. An "invalid credential error" is returned.

Post Conditions

The system has not obtained attributes of the Grid User.

Provide SAML Assertion

This use case describes the process by which a Grid User obtains a SAML Assertion about the user's identity.

Actors

1. Grid User
2. Local Authentication System

Pre-Conditions

None

Basic Flow

1. The Basic Flow of the Authenticate Local User use case is executed.
2. The attributes returned by Local Authentication System are sufficient to create a SAML Assertion.
3. A SAML Assertion is returned to the Grid User.

Post-Conditions

The Grid User has a SAML Assertion that can be exchanged for grid credentials.

Alternate Flow 1

1. Step 1 of Basic Flow .
2. The attributes returned by Local Authentication System are insufficient to create a SAML Assertion.
3. An "insufficient attribute error" is returned to the user.

Post-Conditions

The Grid User does not have a SAML Assertion.

Provide Grid Credentials

See Dorian documentation.

Class Diagrams

The following diagram depicts the main components of the authentication service.

Figure 1: Components of the Authentication Service

The globus RPCProvider uses information the server-config.wssd to invoke the authenticate operation on AuthenticationServiceProviderImpl, whose main responsibility is to unpack the Credential from the AuthenticationRequest and then to package the SAMLAssertion into an AuthenticationResponse. AuthenticationServiceProviderImpl then invokes the authenticate operation on AuthenticationServiceImpl.

AuthenticationServiceImpl's responsibility is to instantiate an instance of AuthenticationProvider and interact with it according to the contract defined in that interface. AuthencationServiceImpl uses Spring to instantiate (and configure) an instance of AuthenticationProvider AuthenticationServiceImpl then invokes the authenticate operation on AuthenticationProvider.

The AuthenticationProvider component of Authentication Service was designed as a framework. The following diagram depicts this framework.

Figure 2: The AuthenticationProvider framework

A simple implementation of AuthenticationProvider is provided in DefaultAuthenticationProvider. This class expects the samlProvider and subjectProvider dependencies to be set before invoking the authenticate method. The implementation of this method invokes SubjectProvider.getSubject(Credential):Subject and SAMLProvider.getSAML(Subject):SAMLAssertion.

The DefaultSubjectProvider implementation of SubjectProvider uses the CSM AuthenticationManager to retrieve the javax.security.auth.Subject, given the user name and password that are pulled out of the Credential object DefaultSubjectProvider expects a fully configured instance of AuthenticationManager to be supplied as its authenticationManager dependency before invoking the getSubject method.

The Credential object is deserialized from XML by the Axis framework. The following is an excerpt from the XSD that defines the XML format of the Credential object.

<xsd:element name="Credential" type="auth:Credential"/>
<xsd:complexType name="Credential">
<xsd:choice>
	<xsd:element
    name="BasicAuthenticationCredential"
    minOccurs="1" maxOccurs="1"
    type="auth:BasicAuthenticationCredential"/>
	<xsd:element 
    name="CredentialExtension" 
    minOccurs="1" maxOccurs="1" 
    type="xsd:anyType"/>
</xsd:choice>
</xsd:complexType>
<xsd:complexType name="BasicAuthenticationCredential">
	<xsd:sequence>
		<xsd:element 
         name="userId" minOccurs="1" 
              maxOccurs="1" type="xsd:string"/>
		<xsd:element 
              name="password" minOccurs="1" 
              maxOccurs="1" type="xsd:string"/>
	</xsd:sequence>
</xsd:complexType>

As this snippet shows, the Credential element may contain either a BasicAuthenticationCredential element or a CredentiaExtension element. The DefaultSubjectProvider requires that a BaseAuthenticationCredential be provided. The CredentialExtension element is there to support other implementations of SubjectProvider.

The DefaultSAMLProvider implementation of SAMLProvider requires that its certificate, privateKey, and password dependencies be set, and that its loadCertificates method is called before invoking the getSAML method. The Subject that is passed to the getSAML method must contain instances of these four sub classes of java.security.Principal:

• gov.nih.nci.security.authentication.principal.LoginIdPrincipal
• gov.nih.nci.security.authentication.principal.FirstNamePrincipal
• gov.nih.nci.security.authentication.principal.LastNamePrincipal
• gov.nih.nci.security.authentication.principal.EmailIdPrincipal