Difference between revisions of "User:Msalle@nikhef.nl"
From PDP/Grid Wiki
Jump to navigationJump to search| Line 6: | Line 6: | ||
Method used by the IMDI browser to obtain a certificate, see image below | Method used by the IMDI browser to obtain a certificate, see image below | ||
| − | # User | + | User point of view (mostly): |
| + | |||
| + | # '''User''' clicks/chooses initialization option | ||
# java browser starts a webbrowser | # java browser starts a webbrowser | ||
# which points to the online CA at SURFnet | # which points to the online CA at SURFnet | ||
| − | # Online CA redirects webbrowser to Identity Provider | + | # Online CA redirects webbrowser to WAYF (Where Are You From) server where '''user''' chooses his ''Identity Provider'' |
| − | # User logs in | + | # '''User''' logs in at ''IdP'' |
| − | # webbrowser redirects back to online CA. | + | # webbrowser redirects back to online CA. '''User''' closes webbrowser. |
| − | # After confirmation java browser now connects itself to online CA | + | # After confirmation by '''user''', java browser now connects itself to online CA |
# java browser retrieves certificate from online CA | # java browser retrieves certificate from online CA | ||
| + | |||
| + | Technical overview: | ||
| + | |||
| + | # Initialization procedure: | ||
| + | ## javabrowser creates a keypair | ||
| + | ## javabrowser creates a certificate signing request (CSR) | ||
| + | # javabrowser starts a webbrowser | ||
| + | # the URL is the online CA + a hash of the CSR | ||
| + | # Online CA redirects to the browser to the IdP via a WAYF (where are you from). This is the standard Shibboleth trajectory. | ||
| + | # User logs in and the webbrowser sends the user back to the online CA. The URL is now rewritten using Shibboleth. | ||
| + | |||
| + | |||
[[Image:Imdi handshake.png||IMDI Browser handshake]] | [[Image:Imdi handshake.png||IMDI Browser handshake]] | ||
Revision as of 10:45, 6 October 2009
Projects:
nl.nikhef.slcshttps
Method
Method used by the IMDI browser to obtain a certificate, see image below
User point of view (mostly):
- User clicks/chooses initialization option
- java browser starts a webbrowser
- which points to the online CA at SURFnet
- Online CA redirects webbrowser to WAYF (Where Are You From) server where user chooses his Identity Provider
- User logs in at IdP
- webbrowser redirects back to online CA. User closes webbrowser.
- After confirmation by user, java browser now connects itself to online CA
- java browser retrieves certificate from online CA
Technical overview:
- Initialization procedure:
- javabrowser creates a keypair
- javabrowser creates a certificate signing request (CSR)
- javabrowser starts a webbrowser
- the URL is the online CA + a hash of the CSR
- Online CA redirects to the browser to the IdP via a WAYF (where are you from). This is the standard Shibboleth trajectory.
- User logs in and the webbrowser sends the user back to the online CA. The URL is now rewritten using Shibboleth.
Files:
- full zip-archive (Full zip including jar file, build, and javadoc)
- zip-archive (Zip including only sources, run ant to get the rest)
- JDK1.5 jarfile
- Javadoc API
- SVN repository with source
Talks:
Note that you also need the BouncyCastle provider. Direct link to the JDK1.5 jarfile
gLite security
See e.g. Nikhef Site Access Control pages
