Single Sign-on

NRAO Interactive Services Modification Request 10C408, August 2008



1. Introduction

Several enhancements of the My.NRAO site are needed, primarily to support the smooth transition between My.NRAO and web applications hosted at the NRAO website. In particular a single sign-on, allowing a user to move seamlessly between the two sets of applications is desired.

2. Background

Several new tools will be deployed at the NRAO Socorro site at the end of 2008. Users will prepare proposals using the Proposal Submission Tool, and then transition to use several tools hosted at the NRAO.

Several other operational requirements are foreseen. We would like to make the necessary structural changes for those requirements with the main driver.

3. Requirements

  • A user should be able to log in once, and move between applications (e.g. archive, proposals, observing, dynamic scheduling systems) without re-authentication. The goal is to provide a service that any software application at the sites can use to authenticate against.
  • The NRAO Computing Security Policy and the NSF require encrypted password storage. Passwords are currently stored unencrypted (base64-encoded). How can we ensure compliance in a standalone authentication system?
  • It should be possible to associate a user with more than one user group.
  • The service administrator must be able to create new groups and associate users with groups readily.
  • Service administrators at each of the sites/telescopes should also be able to create and maintain their own groups.
  • There will be a main repository for user information, supplemented by mirrors. The rationale for a mirror is the requirement that the sites must maintain continuous operations even if network connections to the sites are down.
  • The mirror(s) can provide the authentication services locally, but operations that modify user information will be directed to the master, not to the mirror.

4. Implementation

  • We have tested CAS (Central Authentication Service) distributed by the JASIG consortium. A test installation and deployment was less than a week's work. It is probable that the major effort will be modifying applications to use it. This is a well-supported Open Source application and may be a plausible solution for the authentication. Please consult StephanWitz for more details.

5. Other issues

  • Perforce we will be operating with cross-site/cross-server authentication. We need to keep cross-site security firmly in mind when discussing the implementation. PatrickMurphy and StephanWitz will be available for consultation on these issues.

6. Test Plan

6.1 Internal Testing

6.2 Sponsor Testing

6.3 Integration/Regression Tests


Signatures

APPROVED: I acknowledge that my request is fully contained in this MR, and if the Open Sky (or other NIS or PST developers) deliver exactly what I specified, I will be happy.

ACCEPTED: I acknowledge that I have validated the completed code according to the acceptance tests, and I am happy with the results.

Written ALERT! - GarethHunt - 26 Aug 2008
Checked - - - - -
Approved by Scientific Sponsor - - - - -
Accepted/Delivered by Sponsor - - - - -

Symbols:
  • Use %X% if MR is not complete (will display ALERT!)
  • Use %Y% if MR iscomplete (will display DONE)


Discussion Area

-- GarethHunt - 26 Aug 2008

This topic: Software > IntxSvcsPlanOfRecordC12008 > IntxSvcsMR10C408
Topic revision: 2008-08-26, GarethHunt
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding NRAO Public Wiki? Send feedback