Access Keys:
Skip to content (Access Key - 0)

Dorian

Integrate an Identity Provider with Dorian

Overview

Dorian provides an integration point between external security domains and the grid, allowing accounts managed in external domains to be federated and managed in the grid. This allows user's to use their organizational provided credentials or the credentials they use every day to logon to the Grid. To enable this an organization's Identity Provider (IdP) or the system that issues credentials to users must be integrated with Dorian. This "How-To" provides documentation on how to integrate an Identity Provider with Dorian.

Technical Background

To integrate Identity Provider with Dorian, the Identity Provider must be able provide a SAML Assertion for its users each time they authenticate with the Grid. The SAML assertion must contain an Authentication Statement asserting that the user has authenticated with the Identity provider and by what means they used to authenticate. The SAML Assertion must also contain an Attribute Statement asserting the following attributes:

  1. User's Identity with the IdP
  2. First Name
  3. Last Name
  4. Email Address

The SAML assertion identifies the user, proves that they authenticated with the IdP, and provides a small set of information about the user which is useful for Dorian administrators. For complete details on the SAML Assertion required by Dorian please consult the technical specification.

The caGrid/GAARDS Authentication Service provides a framework for issuing SAML assertions for existing credential providers such that they may easily integrated with Dorian and other grid credential providers. The authentication service also provides a uniform authentication interface in which applications can be built on. In this guide we will provide an overview on how to stand up an Authentication Service for an Identity Provider such that the Identity Provider may easily be integrated with Dorian.

Authentication Service

The Authentication Service is a springbased framework providing several integration points for integrating Identity Providers. The Authentication service is configured through a single configuration file, authentication-config.xml (shown below):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
<beans>
    <bean id="authenticationProvider" class="gov.nih.nci.cagrid.authentication.service.DefaultAuthenticationProvider">
        <property name="subjectProvider" ref="subjectProvider"/>
        <property name="samlProvider" ref="samlProvider"/>    </bean>
    <bean id="subjectProvider" class="gov.nih.nci.cagrid.authentication.service.DefaultSubjectProvider">
        <property name="authenticationManager">
            <bean class="gov.nih.nci.security.SecurityServiceProvider" factory-method="getAuthenticationManager">
                <!-- The name of the security policy -->
                <constructor-arg value="@CSM_APP_CONTEXT@"/>
            </bean>
        </property>
    </bean>
    <bean id="samlProvider" class="gov.nih.nci.cagrid.authentication.service.DefaultSAMLProvider"
        init-method="loadCertificates">
        <property name="certificateFileName" value="@SAML_PROVIDER_CRT@"/>
        <property name="privateKeyFileName" value="@SAML_PROVIDER_KEY@"/>
        <property name="password" value="@SAML_PROVIDER_PWD@"/>
    </bean>
</beans>

The AuthenticationProvider bean is the highest level integration point implementing the gov.nih.nci.cagrid.authentication.common.AuthenticationProvider interface. The Authentication Provider interface is responsible for 1) validating a credential provided by a user 2) returns a Dorian-compliant SAML Assertionif the credential provided is successfully validated. At minimum an implementation of the Authentication Provider interface must be provided in order to integrate an Identity Provider with the Authentication Service. If your Identity Provider has the capability of issuing Dorian-compliant SAML Assertions, it is recommended that you integrate your Identity Provider at this point by providing an implementation of the gov.nih.nci.cagrid.authentication.common.AuthenticationProvider interface for you Identity Provider ( Approach 1 ). Otherwise the Authentication Service provides a default implementation of AuthenticationProvider interface, gov.nih.nci.cagrid.authentication.service.DefaultAuthenticationProvider. The DefaultAuthenticationProvider is made up of two sub-components; the Subject Provider and the SAML Provider. The Subject Provider receives a credential and validates it, upon successful validation it returns the subject containing the attributes (UserId, First Name, Last Name, Email) that are required to be in the SAML Assertion. The Subject Provider implements the gov.nih.nci.cagrid.authentication.common.SubjectProvider. The SAML Provider consumes a subject returned by the Subject Provider and creates and returns a Dorian-compliant SAML Assertion. The SAML Provider implements the gov.nih.nci.cagrid.authentication.common.SAMLProvider interface. The DefaultAuthenticationProvider isolates the required functionality of an AuthenticationProvider providing separate integration points. The gov.nih.nci.cagrid.authentication.service.DefaultSAMLProvider class it the default implementation for the SAMLProvider. It requires the specification of a certificate and private key which it used to create and sign SAML Assertions based on subjects provided by the SubjectProvider. Although you may provide a custom implementation for the SAML Provider the default implementation should be sufficient in most cases. The DefaultAuthenticationProvider provides a DefaultSubjectProvider (gov.nih.nci.cagrid.authentication.service.DefaultSubjectProvider) which leverages the Common Security Module (CSM)to integrate with Identity Providers supported by CSM (CSM, LDAP, LDAPS). The DefaultAuthenticationProvider should be leveraged in use cases where the Identity Provider has the ability to authenticate the user and provide the required attributes however does not have the capability of issuing Dorian-compliant SAML Assertions. When leveraging the DefaultAuthenticationProvider the DefaultSubjectProvider should be used in cases where the Identity Provider is supported by CSM ( Approach 2 ). In cases where the Identity Provider is not supported by CSM a CustomSubjectProvider should be implemented ( Approach 3 ).

Approach 1: Implement the Authentication Provider

This option should used in the case where the Identity Provider being integrated has the ability to authenticate users and issue Dorian-compliant SAML Assertion. To integrate an Identity Provider under this approach please complete the following steps:

Step 1: Configure your Environment to use the Training Grid

For the purposed of this guide and for testing purposes we will integrate your Identity Provider into the Training Grid. In order to do this you must configure your environment to use the Training Grid. Click here for directions on how to configure your environment to use the Training Grid.

Step 2: Obtain a Host Credential on the Training Grid

The Authentication Service requires that it runs as a secure service. In order to run a secure service, the container hosting the service must run with a host credential. A host credential consist of a X.509 certificate and private key. You can obtain a host credential on the training Grid by clicking here.

Step 3: Configure a Secure Container

Now that you have obtained host credentials, you may use them to configure a secure container. The Authentication Service can be run from a secure Globus container or a secure Tomcat container. For directions on how to configure a secure Globus container CLICK HERE. For directions on how to configure a secure Tomcat container CLICK HERE.

Step 4: Implement the AuthenticationProvider interface

The AuthenticationProvider interface (gov.nih.nci.cagrid.authentication.common.AuthenticationProvider) can be found in caGrid-1.x-authentication-service-common.jar. Implementing the interface requires you to implement three methods: 1) setSAMLProvider(), 2) setSubjectProvider(), and 3) authenticate(). Implementing this interface is relatively simple, to illustrate this we have provided an implementation of the interface that (1) connects to and https webapp. (2) authenticates with the webapp using the credential provided, and (3) retrieves a SAML assertion from the webapp if the authentication was successful:

public class ExampleAuthenticationProvider implements AuthenticationProvider {

	public ExampleAuthenticationProvider() {
		super();
	}

	public SAMLAssertion authenticate(Credential credential) throws RemoteException, InvalidCredentialException,
		InsufficientAttributeException, AuthenticationProviderException {
		if (credential.getBasicAuthenticationCredential() == null) {
			InvalidCredentialFault fault = new InvalidCredentialFault();
			fault.setFaultString("The IdP requires a username and password!!!");
			throw fault;
		} else {
			BasicAuthenticationCredential cred = credential.getBasicAuthenticationCredential();
			Protocol.registerProtocol("https", new Protocol("https", new EasySSLProtocolSocketFactory(), 443));
			HttpClient client = new HttpClient();
			client.getState().setCredentials(new AuthScope(null, 443, null),
				new UsernamePasswordCredentials(cred.getUserId(), cred.getPassword()));
			GetMethod get = new GetMethod(IDP_URL);

			get.setDoAuthentication(true);

			try {
				// execute the GET
				int status = client.executeMethod(get);
				if (status == 401) {
					throw new InvalidCredentialException("Invalid Login Specified!!!");
				} else if (status > 200) {
					throw new AuthenticationProviderException("Error authenticating with server. (" + status + ")");
				}
				SAMLResponse res = new SAMLResponse(new ByteArrayInputStream(get.getResponseBodyAsString().getBytes()));
				SAMLAssertion saml = (SAMLAssertion) res.getAssertions().next();
				return saml;
			} catch (Exception e) {
				throw new AuthenticationProviderException(e.getMessage());
			} finally {
				// release any connection resources used by the method
				get.releaseConnection();
			}
		}
	}

	public void setSAMLProvider(SAMLProvider samlProvider) {

	}

	public void setSubjectProvider(SubjectProvider subjectProvider) {

	}
}

Step 5: Package and Distribute AuthenticationProvider

Once you have completed your implementation of the AuthenticationProvider interface, build it and create a jar file containing your implementation and any other implementation files required. Place the jar file containing your implementation and any jar files your implementation depends on into AUTHENTICATION_SERVICE_LOCATION/lib.

Step 6: Configure the Authentication Service

Next you must edit the Authentication Service configuration (AUTHENTICATION_SERVICE_LOCATION/resources/authentication-config.xml) to use your implementation of the AuthenticationProvider. This can be done by 1) changing the class attribute of the authenticationProvider bean to be the classname of your implementation and 2) Removing all other beans from the configuration file. Below we show and example configuration file for the example implementation presented above:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">

<beans>
    <bean id="authenticationProvider" class="org.cagrid.gaards.examples.ExampleAuthenticationProvider">
    </bean>
</beans>

Step 7: Build the Authentication Service

To build the Authentication Service type:

    %> cd AUTHENTICATION_SERVICE_LOCATION
    %> ant clean all

Step 8: Deploying the Authentication Service

Once you have configured a secure container (Globus or Tomcat) you need to deploy the Authentication Service to that container. To deploy the Authentication Service to a secure Globus container type the following from a command prompt:

%> cd AUTHENTICATION_SERVICE_LOCATION
%> ant deployGlobus

To deploy the Authentication Service to a secure Tomcat container type the following from a command prompt:

%> cd AUTHENTICATION_SERVICE_LOCATION
%> ant deployTomcat

No matter which container you choose you should see a significant amount of output to the screen, if the deployment is successful you should see the words "BUILD SUCCESSFUL" outputted to the screen.

Step 9: Request to add your Identity Provider to the Training Dorian as Trusted Identity Provider

In order to test that your Identity Provider has been successfully integrated with the Authentication Service and that it is issuing Dorian-compliant SAML Assertions you can request that your Identity Provider be integrated with the Training Dorian as a Trusted Identity Provider. Once added, user's with account on your Identity Provide should be able to login and obtain an account on the Training Grid using their locally provided credential. To request that you Identity Provider be added as a Trusted Identity Provider on the training Dorian send email to CAGRID_USERS-L@LIST.NIH.GOV, specifying the name of your organization and attach the X.509 certificate (PEM format) corresponding to the private key which is used to sign the SAML Assertions issued by your Authentication Service/Identity Provider.

Step 10: Test Logging onto the Training Grid

Logging Onto the Grid
Once you have received confirmation that your Identity Provider has been added to the training Dorian as a Trusted Identity Provider, you can test that you Identity Provider has been successfully integrated by logging onto the Training Grid. To do so complete the following steps:

  1. Launch the GAARDS UI
  2. From the top menu, select Window ==> Preferences, this will launch the preferences window.
  3. In the tree on the left hand side expand the Grid User Management node and select Authentication Service(s).
  4. In the text field next to the left of the Add button enter the Service URL of your Authentication Service.
  5. Click the Save button, this will close the window and save your preferences.
  6. Click the Login button on the toolbar in the GAARDS UI to open the Create Proxy or login window.
  7. From the Dorian Service drop down select: https://dorian.cagrid.org:6443/wsrf/services/cagrid/Dorian
  8. From the Authentication Service drop down select the URI of your Authentication Service.
  9. In the User Id text field enter you user id assigned to you by your Identity Provider.
  10. In the Password text field enter you password.
  11. Click the Authenticate button, this will 1) authenticate you with your Identity Provider, 2) obtain a SAML Assertion from your Identity Provider, and 3) contact Dorian using the SAML Assertion to facilitate the creation of a grid proxy. Once the grid proxy is created the Create Proxy window closes and the Proxy Manager window opens with the newly created proxy shown.

If you are able to successfully login and obtain a Grid proxy your Identity Provider has been successfully integrated with the Training Grid.

Approach 2: Default Authentication Provider with Default Subject Provider

This option should be used in the case where your Identity Provider is not capable of issuing SAML Assertions but is supported by the Common Security Module (CSM). To integrate an Identity Provider under this approach please complete the following steps:

Step 1: Configure your Environment to use the Training Grid

For the purposed of this guide and for testing purposes we will integrate your Identity Provider into the Training Grid. In order to do this you must configure your environment to use the Training Grid. Click here for directions on how to configure your environment to use the Training Grid.

Step 2: Obtain a Host Credential on the Training Grid

The Authentication Service requires that it runs as a secure service. In order to run a secure service, the container hosting the service must run with a host credential. A host credential consist of a X.509 certificate and private key. You can obtain a host credential on the training Grid by clicking here.

Step 3: Configure a Secure Container

Now that you have obtained host credentials, you may use them to configure a secure container. The Authentication Service can be run from a secure Globus container or a secure Tomcat container. For directions on how to configure a secure Globus container CLICK HERE. For directions on how to configure a secure Tomcat container CLICK HERE.

Step 4: Configure CSM

Under this approach CSM is used to validate a user's credential and retrieve the user attributes' required in a Dorian-compliant SAML Assertion. and retrieve certain user attributes that are required by the caGrid Dorian service. CSM uses the Java Authentication and Authorization Service (JAAS) to enable modules that are responsible for authentication to be plugged in using a standardized approach. This section provides login modules for both LDAP and RDBMS.

Note: JAAS provides a flexible configuration mechanism. This section describes only one approach (in particular, it describes the approach used by the caGrid installer.) For details on configuring JAAS, see: http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASRefGuide.html

The SAML authentication assertion that must be presented to Dorian in order to retrieve grid credentials must contain information about the user in the form of SAML attributes. These attributes correspond to the following information:

  1. First Name
  2. Last Name
  3. Email Address

Thus, CSM must be configured to retrieve that information from either the LDAP server or RDBMS. The JAAS configuration file that configures CSM in this way should be named .java.login.config and placed in the home directory of the user account that the Tomcat or the Globus container will running under.

RDBMS Configuration

Below is an example of JAAS configuration file that configures the CSM RDBMSLoginModule:

myapp{
gov.nih.nci.security.authentication.loginmodules.RDBMSLoginModule
required
  driver="org.gjt.mm.mysql.Driver"
  url="jdbc:mysql://somehost:3306/somedatabase"
  user="dbuser"
  passwd="dbpassword"
  TABLE_NAME="CSM_USER"
  USER_LOGIN_ID="LOGIN_NAME"
  USER_PASSWORD="PASSWORD"
  USER_FIRST_NAME="FIRST_NAME"
  USER_LAST_NAME="LAST_NAME"
  USER_EMAIL_ID="EMAIL_ID"
  encryption="YES";
};

In the above configuration, the JAAS application name is myapp. The driver, url, user, and password parameters configure the JDBC connection to the RDBMS. In this case, a MySQL driver is being used. The appropriate JDBC driver for your RDBMS should be placed in AUTHENTICATION_SERVICE_LOCATION/lib before deploying the service. The TABLE_NAME, USER_LOGIN_ID, USER_PASSWORD, USER_FIRST_NAME, USER_LAST_NAME, and USER_EMAIL_ID parameters indicate how the user's credentials can be validated and the appropriate attributes retrieved. If CSM is being used to manage these accounts, then one can configure if encryption should be used when validating the user's password.

LDAP Configuration

If your Identity Provider uses LDAP, then you should configure JAAS to use the CSM LDAPLoginModule. An example JAAS configuration file that configures the CSM LDAPLoginModule is shown below:

myapp{
    gov.nih.nci.security.authentication.loginmodules.LDAPLoginModule required
    ldapHost="ldaps://my.ldap.host.org:636"
    ldapSearchableBase="ou=some,o=base"
    ldapUserIdLabel="cn"
    USER_FIRST_NAME="givenName"
    USER_LAST_NAME="sn"
    USER_EMAIL_ID="mail";
};

Step 5: Configure the Authentication Service

Next you must edit the Authentication Service configuration (AUTHENTICATION_SERVICE_LOCATION/resources/authentication-config.xml) to point to the CSM configuration you completed in the last step. This can be done by changing the constructor argument of the subjectProvider bean to be the JAAS application name (myapp) used for the CSM configuration in you JAAS configuration file. You must also configure the default SAML provider to use your host certificate and private key (Created in Step 2) for signing SAML Assertions. This can be done by editing properties in the samlProvider bean. To set the certificate, edit the certificateFileName property to be the full path to the file containing your host certificate. To set the private key, edit the privateKeyFileName property to be the full path to the file containing your host private key. Below we show an example of a Authentication Service configuration file edited for this approach:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
<beans>

    <bean id="subjectProvider" class="gov.nih.nci.cagrid.authentication.service.DefaultSubjectProvider">
        <property name="authenticationManager">
            <bean class="gov.nih.nci.security.SecurityServiceProvider" factory-method="getAuthenticationManager">
                <!-- The name of the security policy -->
                <constructor-arg value="myapp"/>
            </bean>
        </property>
    </bean>

    <bean id="samlProvider" class="gov.nih.nci.cagrid.authentication.service.DefaultSAMLProvider"
        init-method="loadCertificates">
        <property name="certificateFileName" value="myhost-cert.pem"/>
        <property name="privateKeyFileName" value="myhost-key.pem"/>
    </bean>

    <bean id="authenticationProvider" class="gov.nih.nci.cagrid.authentication.service.DefaultAuthenticationProvider">
        <property name="subjectProvider" ref="subjectProvider"/>
        <property name="samlProvider" ref="samlProvider"/>
    </bean>


</beans>

Step 6: Build the Authentication Service

To build the Authentication Service type:

%> cd AUTHENTICATION_SERVICE_LOCATION
%> ant clean all

Step 7: Deploying the Authentication Service

Once you have configured a secure container (Globus or Tomcat) you need to deploy the Authentication Service to that container. To deploy the Authentication Service to a secure Globus container type the following from a command prompt:

%> cd AUTHENTICATION_SERVICE_LOCATION
%> ant deployGlobus

To deploy the Authentication Service to a secure Tomcat container type the following from a command prompt:

%> cd AUTHENTICATION_SERVICE_LOCATION
%> ant deployTomcat

No matter which container you choose you should see a significant amount of output to the screen, if the deployment is successful you should see the words "BUILD SUCCESSFUL" outputted to the screen.

Step 8: Request to add your Identity Provider to the Training Dorian as Trusted Identity Provider

In order to test that your Identity Provider has been successfully integrated with the Authentication Service and that it is issuing Dorian-compliant SAML Assertions you can request that your Identity Provider be integrated with the Training Dorian as a Trusted Identity Provider. Once added, user's with account on your Identity Provide should be able to login and obtain an account on the Training Grid using their locally provided credential. To request that you Identity Provider be added as a Trusted Identity Provider on the training Dorian send email to CAGRID_USERS-L@LIST.NIH.GOV, specifying the name of your organization and attach the X.509 certificate (PEM format) corresponding to the private key which is used to sign the SAML Assertions issued by your Authentication Service/Identity Provider.

Step 9: Test Logging onto the Training Grid

Logging Onto the Grid
Once you have received confirmation that your Identity Provider has been added to the training Dorian as a Trusted Identity Provider, you can test that you Identity Provider has been successfully integrated by logging onto the Training Grid. To do so complete the following steps:

  1. Launch the GAARDS UI
  2. From the top menu, select Window ==> Preferences, this will launch the preferences window.
  3. In the tree on the left hand side expand the Grid User Management node and select Authentication Service(s).
  4. In the text field next to the left of the Add button enter the Service URL of your Authentication Service.
  5. Click the Save button, this will close the window and save your preferences.
  6. Click the Login button on the toolbar in the GAARDS UI to open the Create Proxy or login window.
  7. From the Dorian Service drop down select: https://dorian.cagrid.org:6443/wsrf/services/cagrid/Dorian
  8. From the Authentication Service drop down select the URI of your Authentication Service.
  9. In the User Id text field enter you user id assigned to you by your Identity Provider.
  10. In the Password text field enter you password.
  11. Click the Authenticate button, this will 1) authenticate you with your Identity Provider, 2) obtain a SAML Assertion from your Identity Provider, and 3) contact Dorian using the SAML Assertion to facilitate the creation of a grid proxy. Once the grid proxy is created the Create Proxy window closes and the Proxy Manager window opens with the newly created proxy shown.

If you are able to successfully login and obtain a Grid proxy your Identity Provider has been successfully integrated with the Training Grid.

Approach 3: Default Authentication Provider with Custom Subject Provider

This option should be used in the case where your Identity Provider is not capable of issuing SAML Assertions and is not supported by the Common Security Module (CSM). To integrate an Identity Provider under this approach please complete the following steps:

Step 1: Configure your Environment to use the Training Grid

For the purposed of this guide and for testing purposes we will integrate your Identity Provider into the Training Grid. In order to do this you must configure your environment to use the Training Grid. [Click here] for directions on how to configure your environment to use the Training Grid.

Step 2: Obtain a Host Credential on the Training Grid

The Authentication Service requires that it runs as a secure service. In order to run a secure service, the container hosting the service must run with a host credential. A host credential consist of a X.509 certificate and private key. You can obtain a host credential on the training Grid by clicking here.

Step 3: Configure a Secure Container

Now that you have obtained host credentials, you may use them to configure a secure container. The Authentication Service can be run from a secure Globus container or a secure Tomcat container. For directions on how to configure a secure Globus container CLICK HERE. For directions on how to configure a secure Tomcat container CLICK HERE.

Step 4: Implement the SubjectProvider Interface

The SubjectProvider interface (gov.nih.nci.cagrid.authentication.common.SubjectProvider) can be found in caGrid-1.x-authentication-service-common.jar. Implementing the interface requires you to implement getSubject() method. The getSubject()method is responsible for authenticating the user with the Identity Provider using the credential provided._ Once authenticated method is responsible for populating a _Subject object with user's identity and attributes required for a Dorian-compliant SAML Assertion.

Step 5: Package and Distribute the SubjectProvider

Once you have completed your implementation of the SubjectProvider interface, build it and create a jar file containing your implementation and any other implementation files required. Place the jar file containing your implementation and any jar files your implementation depends on into AUTHENTICATION_SERVICE_LOCATION/lib.

Step 6: Configure the Authentication Service

Next you must edit the Authentication Service configuration (AUTHENTICATION_SERVICE_LOCATION/resources/authentication-config.xml) to use your implementation of the SubjectProvider. This can be done by changing the class attribute of the subjectProvider bean to be the classname of your implementation. You must also configure the default SAML provider to use your host certificate and private key (Created in Step 2) for signing SAML Assertions. This can be done by editing properties in the samlProvider bean. To set the certificate, edit the certificateFileName property to be the full path to the file containing your host certificate. To set the private key, edit the privateKeyFileName property to be the full path to the file containing your host private key. Below we show an example of a Authentication Service configuration file edited for this approach:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">

<beans>

    <bean id="subjectProvider" class="gov.nih.nci.cagrid.authentication.service.MySubjectProvider">

    </bean>

    <bean id="samlProvider" class="gov.nih.nci.cagrid.authentication.service.DefaultSAMLProvider"
        init-method="loadCertificates">
        <property name="certificateFileName" value="myhost-cert.pem"/>
        <property name="privateKeyFileName" value="myhost-key.pem"/>
    </bean>

    <bean id="authenticationProvider" class="gov.nih.nci.cagrid.authentication.service.DefaultAuthenticationProvider">
        <property name="subjectProvider" ref="subjectProvider"/>
        <property name="samlProvider" ref="samlProvider"/>
    </bean>


</beans>

Step 7: Build the Authentication Service

To build the Authentication Service type:

%> cd AUTHENTICATION_SERVICE_LOCATION
%> ant clean all

Step 8: Deploying the Authentication Service

Once you have configured a secure container (Globus or Tomcat) you need to deploy the Authentication Service to that container. To deploy the Authentication Service to a secure Globus container type the following from a command prompt:

%> cd AUTHENTICATION_SERVICE_LOCATION
%> ant deployGlobus

To deploy the Authentication Service to a secure Tomcat container type the following from a command prompt:

%> cd AUTHENTICATION_SERVICE_LOCATION
%> ant deployTomcat

No matter which container you choose you should see a significant amount of output to the screen, if the deployment is successful you should see the words "BUILD SUCCESSFUL" outputted to the screen.

Step 9: Request to add your Identity Provider to the Training Dorian as Trusted Identity Provider

In order to test that your Identity Provider has been successfully integrated with the Authentication Service and that it is issuing Dorian-compliant SAML Assertions you can request that your Identity Provider be integrated with the Training Dorian as a Trusted Identity Provider. Once added, user's with account on your Identity Provide should be able to login and obtain an account on the Training Grid using their locally provided credential. To request that you Identity Provider be added as a Trusted Identity Provider on the training Dorian send email to CAGRID_USERS-L@LIST.NIH.GOV, specifying the name of your organization and attach the X.509 certificate (PEM format) corresponding to the private key which is used to sign the SAML Assertions issued by your Authentication Service/Identity Provider.

Step 10: Test Logging onto the Training Grid

Logging Onto the Grid
Once you have received confirmation that your Identity Provider has been added to the training Dorian as a Trusted Identity Provider, you can test that you Identity Provider has been successfully integrated by logging onto the Training Grid. To do so complete the following steps:

  1. Launch the GAARDS UI
  2. From the top menu, select Window ==> Preferences, this will launch the preferences window.
  3. In the tree on the left hand side expand the Grid User Management node and select Authentication Service(s).
  4. In the text field next to the left of the Add button enter the Service URL of your Authentication Service.
  5. Click the Save button, this will close the window and save your preferences.
  6. Click the Login button on the toolbar in the GAARDS UI to open the Create Proxy or login window.
  7. From the Dorian Service drop down select: https://dorian.cagrid.org:6443/wsrf/services/cagrid/Dorian
  8. From the Authentication Service drop down select the URI of your Authentication Service.
  9. In the User Id text field enter you user id assigned to you by your Identity Provider.
  10. In the Password text field enter you password.
  11. Click the Authenticate button, this will 1) authenticate you with your Identity Provider, 2) obtain a SAML Assertion from your Identity Provider, and 3) contact Dorian using the SAML Assertion to facilitate the creation of a grid proxy. Once the grid proxy is created the Create Proxy window closes and the Proxy Manager window opens with the newly created proxy shown.

If you are able to successfully login and obtain a Grid proxy your Identity Provider has been successfully integrated with the Training Grid.
Last edited by
Alexandra Permar (1173 days ago) , ...
Adaptavist Theme Builder Powered by Atlassian Confluence