Access Keys:
Skip to content (Access Key - 0)

Authentication Service

Integrating an Identity Provider

Default Authentication Provider with Default Subject Provider

[ Authentication Service:  Developers Guide  | caGrid: Documentation Guides ]

Overview

This guide provides step by step details on how to integrate a Identity Provider using the Authentication Service 1.4. This approach should be used in the case where your Identity Provider is not capable of issuing SAML Assertions but is supported by the Common Security Module (CSM).

Authentication Service Installation and Base Configuration

Contents

Prerequisites

In order to install and run the Credential Delegation Service (CDS), the following prerequisite software must be installed:

Step 1: Install caGrid/Authentication Service

In this step you will download and install the Authentication Service using the caGrid Installer. If you already have caGrid 1.4 installed on your machine you may proceed to the next step. To install caGrid/Authentication Service, complete the following steps:

Installer Prerequisites

The caGrid Installer installs all prerequisites except for Java and MySQL.

  • Java 6 JDK
    • Make sure the JAVA_HOME environment variable is set and points to the location where the JDK has been installed.
  • (Optional) If you are deploying caGrid core services locally, you may also need a MySQL database.
    Note
    MySQL is only required for the security services and GME. You can use 4.x (with transaction enabled; i.e., use InnoDB engine) or 5.x.

Installing caGrid 1.4 Using the Installer

Internet Resources Required by the Installer
Unless you are using a customized installer, the installer will need to be able to access these internet resources:
  1. Download the caGrid 1.4 Installer, unless you have a customized installer that you have been instructed to use for your grid. The downloaded installer should be contained in the file caGrid-installer-1.4.zip. If you are using a customized installer the name may vary.

  2. Unzip the file caGrid-installer-1.4.zip. This creates the directory caGrid-installer-1.4. This documentation refers to this directory as CAGRID_INSTALLER_LOCATION.

  3. From a command prompt, launch the installer using the following command:
    Do not launch the installer by double-clicking the jar file
     > cd *CAGRID_INSTALLER_LOCATION*
    
> java -jar caGrid-installer-1.4.jar
  4. Select the I agree to this license checkbox and then click  Next.
  5. Select the Install/Configure caGrid Software checkbox and then click  Next.
  6. The installer detects whether or not you have already installed Ant. It installs or reinstalls it, depending on your installation status. In either case, you must specify the location where you want to install Ant.

  7. The installer detects whether or not you have already installed Globus. It installs or reinstalls it, depending on your installation status. In either case, you must specify the location where you want to install Globus.

  8. The installer asks you for a location on your local file system to install caGrid. Specify a location to install caGrid and click  Next.
    To select a file location that is not in the User's Home directory, Click the Look In: drop down list and select a new starting location.
  9. The installer displays a list of tasks that the installer will perform. Click  Next to begin the installation process. At this time the installer downloads, builds, and installs several components. This process takes several minutes.

  10. Once the installer has completed installing all the components, click  Next.

  11. The installer prompts you to specify which Grid you want to configure your installation to use. The installer supports configuring caGrid to work out of the box with many community Grid environments. For testing and development purposes, we recommend selecting the Training Grid. If you do not want to configure caGrid to work with an existing Grid you may select that as well. The installer can also be modified to support additional Grids.
  12. The installer shows a summary of the tasks to be completed. Click  Next to configure caGrid to use the selected target Grids. This process takes several minutes.

  13. Once the installer has finished configuring caGrid to use the target Grid, click  Next. The final screen reminds you to set your ANT_HOME and GLOBUS_LOCATION environment variables. Set these variables immediately and click Finish.

Congratulations! You have successfully installed caGrid.
Add ANT_HOME/bin to PATH
You will be running the ant program from the command line so add ANT_HOME/bin to PATH.

The installer will install caGrid to the directory you specified during installation. From this point forward we will refer to this directory as CAGRID_HOME. The Authentication Service can be found in the directory CAGRID_HOME/projects/authentication-service, from this point forward we will refer to this directory as AUTHENTICATION_SERVICE_HOME. The GAARDS UI or graphical user interface for authenticating with the Authentication Service, is located in CAGRID_HOME/projects/gaardsui, from this point forward we will refer to this directory as GAARDS_UI_HOME.

Step 2: Obtain Host Credentials

The Authentication Service runs as a secure service. In order to run a secure service, the container hosting the service must run with a host credential. A host credential consist of a X.509 certificate and private key. In production environment it is very important that this credential be issued by a certificate authority that your environment trusts.  For the purposes of this guide we will provide instructions on how to obtain a host credential from Dorian. Dorian is an open source service framework for issuing PKI credentials and is a trusted certificate authority in many Grid environments. Most target Grids (selected in the last step) are configured with one or more Dorian instances. For the purposes of this guide we will provide documentation on requesting a host credential from the Training Dorian, similar steps can be used for requesting a host credential from other Dorian instances.

To request a host credential from the Training Dorian, you must have must have an account.  Any user may request an account from the Training Dorian.  If you have an account with the Training Dorian, please complete the steps below to get a host credential, other wise click here for directions on requesting an account and then proceed with the steps below:

  1. Launch the GAARDS UI
  2. Log onto the Grid.
  3. From the MyAccount menu, select Request a Host Certificate, this will launch the Request a Host Certificate window.
  4. From the Service drop down select the Dorian you wish to request a host certificate from.
  5. In the Host text box, enter the fully qualified name of the host you are requesting a host certificate for.
  6. Next you must specify the directory on the file system where the host credentials should be written to, this can be done by clicking the Browse button.
  7. Click the Request Certificate button.

Immediately after clicking the Request Certificate button, the UI will submit the host certificate request to Dorian. Upon receiving the request Dorian will either immediately approve the request or submit the request to administrator for approval. In the case where the request is immediately approved, the host credentials (certificate and private key) will be written to the directory specified. The file containing the certificate will be named THE_HOSTNAME_YOU_ENTERED-cert.pem, the file containing the private key will be named THE_HOSTNAME_YOU_ENTERED-key.pem.

In the case where host certificate request requires approval of an administrator, the file containing the private key will be named THE_HOSTNAME_YOU_ENTERED-key.pem. The host certificate WILL NOT be written since it is not issued until the request is approved.  You will need to wait for an administrator to approve your request before proceeding forward.  The GAARDS UI provide a means of checking the status of your request, for directions on how to do this click here.

Note the location where that the host certificate and private key were written. You will need these later to configure your container.

Step 3: Configure a Secure Container

In this step we will configure a web service container that will host the Authentication Service.   The Authentication Service can be deployed to the Tomcat, JBoss, and Globus containers.  For the purposes of this guide we will provide detailed instructions on how to use the caGrid Installer to install and configure a secure  Tomcat container.   You will need to supply the installer with the host credentials you created in the last step.

  1. From a command prompt, launch the caGrid Installer: 
    > cd \ CAGRID_INSTALLER_LOCATION
    
> java -jar caGrid-installer-1.4.jar
  2. Select the I agree to this license box and then click Next.
  3. Select the Install/Configure Grid Service Container box and then click Next.
  4. Select the Container to which you want to deploy your service. Because this guide will use a secure Tomcat, select the Should this container be secure? box and then click Next.
  5. In the hostname box, enter the hostname of your server. This should match the hostname you used when you created your host credentials. Click Next.
    If you plan on using this container to deploy a service that registers to an existing grid, it is important that you use a publicly resolvable DNS name (or static IP). Otherwise, you will need to manually edit configuration files later to correct this.
  6. From the Obtain host credentials method list, select the option that applies to your situation and click Next.
    Options:
    • If you do not yet have credentials for your service, select Use GAARDS to obtain host credentials.
    • If you have host credentials that are not in the default location, then select Browse to host credentials on the file system.
    • If you have host credentials that are in the default location, then select Host credentials are already installed.

    Default credential location:

    • On Windows, this will be a path like "C:\Documents and Settings\<USERNAME>\.cagrid\certificates".
    • On Linux/MAC this will be a path like "/Users/YOUR_USERNAME/.cagrid/certificates".
  7. If you selected Browse to host credentials on the file system, the next screen will prompt you for the location of your credentials. Enter the location of your host certificate in the Certificate text box. Enter the location of your private key in the Key text box. Click Next.
  8. The next screen asks where you want to install Tomcat. Enter that location in the Directory text box and click Next.
  9. A list of tasks appears that the installer will perform in order to install and configure Tomcat. Click Next.
  10. Once the installer has completed installing all of the components, click Next.
  11. Click Next. The final screen reminds you to set your ANT_HOME, GLOBUS_LOCATION and CATALINA_HOME environment variables. Set these variables immediately and click Finish.

Congratulations! You have successfully installed and configured your Tomcat container.

Step 4: Edit Service Metadata

The Authentication Service provides service metadata to clients and other services that describes information about the service, operations supported by the service, and information on the organization hosting the service.

Edit the service metadata to reflect your organization as follows:

  1. Open the Authentication Service metadata file, AUTHENTICATION_SERVICE_HOME/etc/serviceMetadata.xml.
  2. In the hostingResearchCenter element near the bottom of the file, do the following.
    1. Supply your ResearchCenter infomation.
    2. Supply your Address. This is the address that is used when mapping your service on the caGrid Portal.
    3. Supply the PointOfContact. This is the person responsible for maintaining the service.
      A completed example: 
      <ns1:hostingResearchCenter>
  <ns53:ResearchCenter displayName="Ohio State University" shortName="OSU" xmlns:ns53="gme://caGrid.caBIG/1.0/gov.nih.nci.cagrid.metadata.common">
   <ns53:Address country="US" locality="Columbus" postalCode="43210" stateProvince="OH" street1="3190 Graves Hall" street2="333 W. 10th Ave."/>
   <ns53:pointOfContactCollection>
    <ns53:PointOfContact affiliation="OSU" email="John.Doe@osumc.edu" firstName="John" lastName="Doe" phoneNumber="(555) 555-5555" role="Maintainer"/>
   </ns53:pointOfContactCollection>
  </ns53:ResearchCenter>
 </ns1:hostingResearchCenter>
By default, the Authentication Service registers with and publishes its service metadata to the Index Service. The default Index Service is configured as the Index Service of the target grid you selected when you installed the Authentication Service. You can find configuration details on registering and publishing to the Index Service, including disabling registration and changing which Index Service to register with, on the Registration and Discovery page.

Step 5: Configure CSM

Under this approach CSM is used to validate a user's credential and retrieve the user attributes' required in a Dorian-compliant SAML Assertion. and retrieve certain user attributes that are required by the caGrid Dorian service. CSM uses the Java Authentication and Authorization Service (JAAS) to enable modules that are responsible for authentication to be plugged in using a standardized approach. This section provides login modules for both LDAP and RDBMS.

Note: JAAS provides a flexible configuration mechanism. This section describes only one approach (in particular, it describes the approach used by the caGrid installer.) For details on configuring JAAS, see: http://download.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html

The SAML authentication assertion that must be presented to Dorian in order to retrieve grid credentials must contain information about the user in the form of SAML attributes. These attributes correspond to the following information:

  1. First Name
  2. Last Name
  3. Email Address

Thus, CSM must be configured to retrieve that information from either the LDAP server or RDBMS. The JAAS configuration file that configures CSM in this way should be named .java.login.config and placed in the home directory of the user account that the Tomcat or the Globus container will running under.

RDBMS Configuration

Below is an example of JAAS configuration file that configures the CSM RDBMSLoginModule:

myapp{
gov.nih.nci.security.authentication.loginmodules.RDBMSLoginModule
required
  driver="org.gjt.mm.mysql.Driver"
  url="jdbc:mysql://somehost:3306/somedatabase"
  user="dbuser"
  passwd="dbpassword"
  TABLE_NAME="CSM_USER"
  USER_LOGIN_ID="LOGIN_NAME"
  USER_PASSWORD="PASSWORD"
  USER_FIRST_NAME="FIRST_NAME"
  USER_LAST_NAME="LAST_NAME"
  USER_EMAIL_ID="EMAIL_ID"
  encryption="YES";
};

In the above configuration, the JAAS application name is myapp. The driver, url, user, and password parameters configure the JDBC connection to the RDBMS. In this case, a MySQL driver is being used. The appropriate JDBC driver for your RDBMS should be placed in AUTHENTICATION_SERVICE_LOCATION/lib before deploying the service. The TABLE_NAME, USER_LOGIN_ID, USER_PASSWORD, USER_FIRST_NAME, USER_LAST_NAME, and USER_EMAIL_ID parameters indicate how the user's credentials can be validated and the appropriate attributes retrieved. If CSM is being used to manage these accounts, then one can configure if encryption should be used when validating the user's password.

LDAP Configuration

If your Identity Provider uses LDAP, then you should configure JAAS to use the CSM LDAPLoginModule. An example JAAS configuration file that configures the CSM LDAPLoginModule is shown below:

myapp{
    gov.nih.nci.security.authentication.loginmodules.LDAPLoginModule required
    ldapHost="ldaps://my.ldap.host.org:636"
    ldapSearchableBase="ou=some,o=base"
    ldapAdminUserName="CN=CABIG,OU=Authentication Accounts,DC=XYZ,DC=ABC"
    ldapAdminPassword="password"
    ldapUserIdLabel="cn"
    USER_FIRST_NAME="givenName"
    USER_LAST_NAME="sn"
    USER_EMAIL_ID="mail";
};

Step 6: Configure the Authentication Service

The Authentication Service leverages the Spring Frameworkfor configuration.  The use of the Spring Framework provides provides the Authentication Service alot of flexibility in being able to replace components such as the AuthenticationProvider and the SubjectProvider.  The Authentication Service configuration file is contained in the file AUTHENTICATION_SERVICE_HOME/etc/authentication-config.xml, this file contains the Spring Beans for the configurable components of the Authentication Service.  In this case since we are using the default providers, we do not need to make any edits. The second configuration file the Authentication Services uses is the Authentication Service properties file, which is contained in the file AUTHENTICATION_SERVICE_HOME/etc/authentication.properties.  The Authentication Service properties file contains commonly edited properties for configuring the Authentication Service.  Below we have provided a list of properties that must be edited for this approach:

gaards.authentication.csm.app.context

The name of the application context used in the JAAS Configuration file, in the example above we use myapp.

gaards.authentication.csm.truststore

This property must be provided if you are using LDAPS.   In order for the client to connect to the LDAPS server it must trust the LDAPS server's credentials.  This property specifies the location of a Java trust store containing the trusted credential providers.   The trust store configured must contain the CA certificate for the CA that issued your LDAPS server's certificate.  If you dont have a trust store the Authentication Service provides a command line utility for creating one.  This utility can be execute from the command line as follows:

 > cd AUTHENTICATION_SERVICE_HOME
 > ant createTruststore
The program will prompt you to enter a location/file to write the trust store to. Next the program will ask you to enter the location/filename of the CA certificate. You should enter the location of the CA certificate for the certificate authority that issued your LDAP server's credential. Please note the CA certificate MUST be in PEM format.

gaards.authentication.saml.cert

The full path to the file containing the certificate that corresponds to the private key that should be used for signing the SAML Assertions.  It is required that the certificate be in PEM format.  If you dont have a specific certificate for issuing assertions, you may user the host certificate you created earlier.

gaards.authentication.saml.key

The full path to the file containing the private key that should be used for signing the SAML Assertions.  It is required that the private key be in PEM format.  If you dont have a specific private key for issuing assertions, you may user the host private key you created earlier.

gaards.authentication.saml.key.password

The password (if one exists) used for encrypting/decrypting the private key. If you are using the private key you created earlier, leave this blank as that private key was not encrypted.

Step 7: Build the Authentication Service

To build the Authentication Service, please type the following at the command line:

 > cd AUTHENTICATION_SERVICE_HOME
 > ant clean all

Step 8: Deploy and Start the Authentication Service

At this point we have completed configuring the Authentication Service and the Tomcat container the Authentication Service will run in.  We are now ready to deploy the Authentication Service to the Secure Tomcat Container.  This can be done as follows from a command prompt:

 >cd AUTHENTICATION_SERVICE_HOME
 > ant deployTomcat
If you chose to use a JBoss container, the Authentication Service can easily be deployed by typing the following at a command prompt:

 > cd AUTHENTICATION_SERVICE_HOME
 > ant deployJBoss
Although the installer does not support configuring a secure Globus container, the Authentication Service can be deployed to a secure Globus container by typing the following at the command prompt:
 > cd AUTHENTICATION_SERVICE_HOME
 > ant deployGlobus
No matter which container you choose you should see a significant amount of output to the screen, if the deployment is successful you should see the words "BUILD SUCCESSFUL" outputted to the screen.

Once you deployed the Authentication Service, please start your container. Please make sure that there is outside connectivity to your Authentication Service through your firewall.

Step 9: Register Your Identity Provider with the Training Dorian

To allow users with accounts on your Identity Provider to use their credentials to access the Grid you must register your Authentication Service/Identity Provider with Dorian such that Dorian will trust your identity provider and issue grid credentials to your users.  Registering your Identity Provider with Dorian requires the following information:

  1. Certificate - The certificate (PEM Format) that corresponds to the private key that is used by your Authentication Service for signing SAML Assertions.
  2. Authentication Service URL - The service URL for your Authentication Service.
  3. Authentication Service Identity - The grid identity of your Authentication Service, if you are not sure what this is, please provide your host certificate (this may be the same certificate used for SAML Assertions).

Please send the above information to knowledge@osu-citih.org, you should be contacted within 1-2 business days.  Once you have received confirmation that your identity provider has been registered with Dorian, pleaes proceed to the next step.

Step 10: Test Logging onto the Training Grid

Once you Identity Provider has been registered with Dorian, we are ready to validate that your Authentication Service/Identity Provider is operating properly. Before doing so make sure your Authentication Service is running and that is available outside of your firewall. To validate that you Authentication Service is operating properly, please complete the following:

  1. Type the following from a command prompt: 
    $ cd GAARDS_UI_HOME
     $ ant ui
  2. Click the Login button, this will bring up a Login screen.
  3. From the Credential Provider drop down select Training.
  4. From the Organization drop down select your Organization.
  5. In the User Id text box enter your user id for the account assigned to you by your organization
  6. In the Password text box enter the password for this account.
  7. Click the Authenticate button.

    Login Window

    Successful Login

    After clicking the Authenticate button you will be logged onto Dorian using the credentials issued by your organization. If the login is successful a dialog will be displayed informing you that you have succesfully logged on.

Congratulations you have successfully integrated your Identity Provider into the Grid!!!
Last edited by
Joe George (616 days ago) , ...
Adaptavist Theme Builder Powered by Atlassian Confluence