Difference between revisions of "User:Msalle@nikhef.nl"
From PDP/Grid Wiki
Jump to navigationJump to searchLine 6: | Line 6: | ||
Method used by the IMDI browser to obtain a certificate, see image below | Method used by the IMDI browser to obtain a certificate, see image below | ||
− | # User | + | User point of view (mostly): |
+ | |||
+ | # '''User''' clicks/chooses initialization option | ||
# java browser starts a webbrowser | # java browser starts a webbrowser | ||
# which points to the online CA at SURFnet | # which points to the online CA at SURFnet | ||
− | # Online CA redirects webbrowser to Identity Provider | + | # Online CA redirects webbrowser to WAYF (Where Are You From) server where '''user''' chooses his ''Identity Provider'' |
− | # User logs in | + | # '''User''' logs in at ''IdP'' |
− | # webbrowser redirects back to online CA. | + | # webbrowser redirects back to online CA. '''User''' closes webbrowser. |
− | # After confirmation java browser now connects itself to online CA | + | # After confirmation by '''user''', java browser now connects itself to online CA |
# java browser retrieves certificate from online CA | # java browser retrieves certificate from online CA | ||
+ | |||
+ | Technical overview: | ||
+ | |||
+ | # Initialization procedure: | ||
+ | ## javabrowser creates a keypair | ||
+ | ## javabrowser creates a certificate signing request (CSR) | ||
+ | # javabrowser starts a webbrowser | ||
+ | # the URL is the online CA + a hash of the CSR | ||
+ | # Online CA redirects to the browser to the IdP via a WAYF (where are you from). This is the standard Shibboleth trajectory. | ||
+ | # User logs in and the webbrowser sends the user back to the online CA. The URL is now rewritten using Shibboleth. | ||
+ | |||
+ | |||
[[Image:Imdi handshake.png||IMDI Browser handshake]] | [[Image:Imdi handshake.png||IMDI Browser handshake]] |
Revision as of 12:45, 6 October 2009
Projects:
nl.nikhef.slcshttps
Method
Method used by the IMDI browser to obtain a certificate, see image below
User point of view (mostly):
- User clicks/chooses initialization option
- java browser starts a webbrowser
- which points to the online CA at SURFnet
- Online CA redirects webbrowser to WAYF (Where Are You From) server where user chooses his Identity Provider
- User logs in at IdP
- webbrowser redirects back to online CA. User closes webbrowser.
- After confirmation by user, java browser now connects itself to online CA
- java browser retrieves certificate from online CA
Technical overview:
- Initialization procedure:
- javabrowser creates a keypair
- javabrowser creates a certificate signing request (CSR)
- javabrowser starts a webbrowser
- the URL is the online CA + a hash of the CSR
- Online CA redirects to the browser to the IdP via a WAYF (where are you from). This is the standard Shibboleth trajectory.
- User logs in and the webbrowser sends the user back to the online CA. The URL is now rewritten using Shibboleth.
Files:
- full zip-archive (Full zip including jar file, build, and javadoc)
- zip-archive (Zip including only sources, run ant to get the rest)
- JDK1.5 jarfile
- Javadoc API
- SVN repository with source
Talks:
Note that you also need the BouncyCastle provider. Direct link to the JDK1.5 jarfile
gLite security
See e.g. Nikhef Site Access Control pages