1 / 27

First Indico Workshop

This workshop, led by Alberto Resco Pérez, explores the fundamentals of authentication as it applies to Indico systems at CERN. We delve into various authentication methods, including Local, NICE, and LDAP authenticators, discussing their functionalities and how they provide secure access to private resources. The session covers OAuth implementation for controlled access and presents enhancements in upcoming versions designed to improve user experience. Join us to learn about these critical security aspects in resource management and identity verification in scientific environments.

bina
Télécharger la présentation

First Indico Workshop

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. First Indico Workshop Authentication 29-27 May 2013 CERN Alberto Resco Pérez

  2. authentication What is it: Authentication is the act of confirming the truth of an attribute of a datum or entity. • Users needs to authenticate to access private resources • Support for different types of authentications

  3. authenticators Currently we support 3 authenticators • Local • NICE CERN specific • LDAP (developed by Martin Kuba)

  4. Local Authenticator Basic authentication • Bases in a pair username/password • Capability to create accounts • Stored locally

  5. administration

  6. Local Sign up Active Manager

  7. Local Login

  8. Local Create an account

  9. Local Email confirmation

  10. Local Activation confirmation

  11. Local Account moderation

  12. Local Activate account

  13. Nice CERN Specific • Web services to lookup for users and groups • Single Sign On to login • Sometimes very slow

  14. Nice Authentication Workflow Redirect SSO Logged in Login

  15. ldap LDAP is an application protocol for accessing and maintaining distributed directory information services • Developed by Martin Kuba • Benefit from a centralized directory you may have in your institution • Indico@CERN: We can get rid of the webservices

  16. oauth Introduced in v1.1. Support for Oauth v1.0 • OAuth is an open standard for authorization. • OAuthprovides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end-user). • It also provides a process for end-users to authorize third-party access to their server resources without sharing their credentials (

  17. Oauth Workflow

  18. Indico mobile workflow Authentication Workflow Indico mobile Authorize Authorized Login

  19. Oauth: Administration List of consumers

  20. Oauth: user applications List of applications authorized

  21. New auth system

  22. New system To be released in v1.2* • Refactor of the code • Get rid of NICE Authenticator • Easy to add new authenticators • Faster, cache • SSO capabilities: it would only be a matter of configuration

  23. Basic config # etc/indico.conf AuthenticatorList= [(’Local’, {})]

  24. Configure ldap # etc/indico.conf AuthenticatorList= [(’LDAP', { 'host': 'cerndc.cern.ch', 'useTLS': False, 'peopleDNQuery': ('cn={0}’,'OU=Users,OU=Organic Units,DC=cern,DC=ch'), 'groupDNQuery': ('cn={0}', 'OU=Workgroups,DC=cern,DC=ch'), 'groupStyle': 'SLAPD’, 'accessCredentials': ('CN=indico,OU=Users,OU=Organic Units,DC=cern,DC=ch',’XXXXXXX’)})]

  25. Enable sso AuthenticatorList= [('MyAuthSystem', { 'SSOActive': True, 'LogoutCallbackURL': 'https://example.com/wsignout’, 'SSOMapping' = {'email': 'ADFS_EMAIL', 'login': 'ADFS_LOGIN', 'personId': 'ADFS_PERSONID’, 'phone': 'ADFS_PHONENUMBER’, 'fax': 'ADFS_FAXNUMBER', 'lastname': 'ADFS_LASTNAME’, 'firstname': 'ADFS_FIRSTNAME’, 'institute': 'ADFS_HOMEINSTITUTE’} })]

  26. Demo login ldap

  27. Questions? Alberto resco http://github.com/arescope @arescope arescope@cern.ch

More Related