Access Keys:
Skip to content (Access Key - 0)

Dorian

Programmatically Login to Dorian

Dorian: Administrators Guide | Developers Guide | Users Guide | caGrid: Documentation Guides

Overview

Dorian is a account management system for the Grid. Dorian provides an integration point between external security domains and the grid, allowing accounts managed in external domains to be federated and managed in the grid. This allows user's to use their organizational provided credentials or the credentials they use every day to "logon" to the Grid. Dorian also provides a built in mechanism for issuing accounts to users that don't already have accounts somewhere else or for whatever reason do not wish to leverage their existing accounts. This guide will provide detailed instructions on how to use the Dorian Client Java API to Login to the Grid.

Technical Details

An Identity Provider (IdP) is a computer system that issues credentials to individual end users and also verifies that the issued credentials are valid. Dorian allows accounts issued by existing IdPs to be used to create and access accounts in the Grid. This allows user's to use their organizational provided credentials or the credentials they use every day to login to the Grid. Dorian also provides its own IdP which can be used in conjunction with other IdP's or by itself to issue accounts to users. In the context of Dorian, the role of the IdP is to (1) authenticate the user by validating the credentials they issued to the user and (2) issue proof to the user that they have successfully authenticated. This proof is represented by a SAML Assertion and is consumed by Dorian to create a grid account for the user and issue grid credentials to the user. The caGrid/GAARDS Authentication Service provides a framework for issuing SAML assertions for existing credential providers such that they may easily integrated with Dorian and other grid credential providers. The authentication service also provides a uniform authentication interface in which applications can be built on. All Identity Providers integrated with Dorian provide an implementation of the Authentication Service interface, this includes the Dorian IdP. To programmatically login into Dorian one must use the AuthenticationService Client API to authenticate with an Identity Provider to obtain a SAML Assertion. Once the SAML Assertion is obtained, the Dorian Client API can be used to request a grid credential. The SAML Assertion will be accepted by Dorian ONLY IF the IdP that issued the assertion is registered with Dorian as a Trusted IdP. Below we show a code example that illustrates how to programmatically Logon to the Grid, in the example a user id and password is used to authenticate.  The type of credential used depends on what is required by the Authentication Service, in other words when calling the authenticate() method of the AuthenticationClient you should provide it with the type of credential required by the organization's IdP. The code below obtains a PKI/Grid credential with a 12 hour lifetime.

import gov.nih.nci.cagrid.opensaml.SAMLAssertion;
import org.cagrid.gaards.authentication.BasicAuthentication;
import org.cagrid.gaards.authentication.client.AuthenticationClient;
import org.cagrid.gaards.dorian.client.GridUserClient;
import org.cagrid.gaards.dorian.federation.CertificateLifetime;
import org.globus.gsi.GlobusCredential;


public class SampleAuthentication {

    public static GlobusCredential authenticate(String dorianURL, String authenticationServiceURL, String userId,
        String password) throws Exception {
        // Create credential

        BasicAuthentication auth = new BasicAuthentication();
        auth.setUserId(userId);
        auth.setPassword(password);

        // Authenticate to the IdP (DorianIdP) using credential

        AuthenticationClient authClient = new AuthenticationClient(authenticationServiceURL);
        SAMLAssertion saml = authClient.authenticate(auth);

        // Requested Grid Credential lifetime (12 hours)

        CertificateLifetime lifetime = new CertificateLifetime();
        lifetime.setHours(12);

        // Request PKI/Grid Credential
        GridUserClient dorian = new GridUserClient(dorianURL);
        GlobusCredential credential = dorian.requestUserCertificate(saml, lifetime);
        return credential;
    }

}
Last edited by
Stephen Langella (1083 days ago)
Adaptavist Theme Builder Powered by Atlassian Confluence