TG-auth*

The TG-auth* system consists of two main components:

  • openRBAC, a system to maintain, modify, and enforce authorization policies using the Role-Based Access Control framework. See http://www.openrbac.de/, however, the basic software has been heavily customized for use with TextGrid.
  • WebAuthN, a system offering authentication functionalities, both direct using a community-managed user directory and the Shibboleth-based DFN-AAI. WebAuthN is embedded in TextGridLab offering a Login Screen and registers the user in RBAC.

There are some minor components interacting with tg-auth* (now obsolete since the TextGrid and DARIAH Accounts has been merged, please use the DARIAH Self Service Portal):

  • PWchange, a Web application allowing for setting a new password in case the user knows their old one
  • PWreset, a Web application that lets users set a new password in case they forgot their old one

Technical Information

Response

  • Implementation: PHP, consisting of
    • openRBAC core: RBAC implementation backed up by an LDAP directory, e.g. openLDAP
    • openRBAC Web Service layer: for accessing openRBAC functions via SOAP
    • tgextra (also a SOAP Web Service): additional functions implemented for TextGrid needs, either aggregating basic RBAC functions or introducing unrelated functions that leverage the underlying LDAP server as storage
    • Storage: an OpenLDAP server
  • two additional schemas: for RBAC core and for TextGrid-specific attributes
    • Branches:
      • ou=people for users
      • ou=roles for the roles users can activate. TextGrid projects are treated like roles, with sub-roles for the actual roles visible in the TextGridLab. e.g. Administrator or Editor
      • ou=resources for the TextGridObjects and their role-right assignments
      • ou=sessions for the Session IDs that users have in the TextGridLab and the roles they activated in their sessions

WebAuthN

  • Implementation: PHP
    • Dual Login on the first page:
      • direct authentication in the community LDAP server or via
      • Shibboleth Login with DFN-AAI-Basic
    • Both Login methods populate the Server variable $REMOTE_USER
  • In Login Mode, the following happens:
    1. authentication
    2. registration of a user session with activation of all available roles in RBAC
    3. check if user has filled out all required personal information and accepted the Terms of use
    4. exposure of the newly assigned Session ID for use in further activities with the TextGridLab and the TG-Utilities
  • In User Details mode (no authentication, just see and modify user’s attributes), only 3. happens.
  • One WebAuthN installation with one community LDAP server can interact with multiple RBAC instances.
  • HTTP GET or POST arguments for TextGrid-WebAuth.php:
    • authZinstance – string identifying the RBAC instance to be used. Always needed.
    • loginname and password – for authentication at community LDAP. Only in Login mode and with HTTP POST.
    • Sid – Session ID known from some earlier authentication. Necessary for User Details mode.
    • ePPN - User ID of the user. Necessary in User Details mode.
  • TextGrid-WebAuth.php is being called from WebAuthN2.php, which presents both the community login form and the Shibboleth Login Button.
  • For Shibboleth login, the Shibboleth Service Provider (Apache module) guarantees the provision of a correct User ID delivered from some home organisation.

PWchange

  • PHP Web application
  • Authenticates and changes passwords against an LDAP direcory (community LDAP server)
  • Source currently not in SVN, but available upon request

PWreset

  • Perl Web application
  • sends out links for verification of the user’s email adress
  • must be used with the system’s Web browser, not the TextGridLab-internal one, because of the use of cookies to remember the user

URLs

Repository

WSDL

OpenRBAC SOAP WSDL locations on the productive TextGridRep TG-auth* server:

Sources

See tgauth_sources

License

See LICENCE