Hi Pauline,
> How are you incorporating single sign on (assuming this means OpenID or
> Shibboleth) with client certificates? Or do you mean the MyProxy
> credentials *is* the SSO, and would unlock a certificate that will be
> used across multiple services (including stuff like GridFTP)?
Yes the latter. The client would make a call to MyProxy logon first to obtain
a credential from their home IdP then submit this in their request over SSL to
the OPeNDAP service.
We also have OpenID based SSO for pyDAP. Our OpenID Provider uses
username/password but could use a client cert too as I've seen done with
MyOpenID.
>
> > Have any of you done much in the way of authentication
> > interoperability tests between different client and server
> > implementations?
> >
>
> Nope... We're hoping to keep authentication to either the
> container or
> web server so then it would be independent of the underlying webapp.
We've followed the same approach overlaying the pyDAP web application with
independent WSGI based security middleware.
> I'm hoping client certificates would *just work* on the standard HTTP
> clients for the C, Java and Python OPeNDAP client libraries
> (i.e. curl,
> httpClient and httplib2(?)). We should be doing some testing soon...
OK - would be interested to hear how you get on :) I did some initial tests
with wget but I'm more concerned about compatibility with the other OPeNDAP
client libraries.
Cheers,
Phil
--
Scanned by iCritical.
