Warning: These documents are under active development and subject to change (version 2.1.0-beta).
The latest release documents are at: https://purl.dataone.org/architecture

Use Case 12 - User Authentication

Goal

User Authentication - A user or a service operating on behalf of a user authenticates against an identify provider to establish a certificate that can subsequently be used to identify the user.

Summary

Many operations in the DataONE system require affirmation of user identity to ensure that appropriate access controls can be asserted and other services such as citation and notification operate as expected.

The actual identity and authentication framework may exist outside of DataONE, and the first version of the infrastructure will be utilizing the certificate based services of the CILogon service.

The user obtains a certificate from the CILogon service, then uses that certificate to make API calls against DataONE Services.

Alternatively, a long lived certificate may be provided by DataONE for systems such as Member Nodes that need to authenticate with components of DataONE.

In each case, the provided certificate contains the subject, alternate subjects, and group memberships of the user. This information is used by services to determine if the caller has access to the requested resource.

Actors

User, Member Node, Coordinating Node, Authentication System

Preconditions

  • User is not authenticated in the system

Triggers

  • A user logs on to the DataONE system.
  • A user needs to access a restricted operation.

Post Conditions

  • A certificate is returned to the user that can be used by DataONE services to identify the user.
  • In the event of authentication failure the certificate will not be available.

@startuml images/12_seq_a.png
actor User
participant CILogon
participant IDP <<Identity Provider >>
participant CN <<Coordinating Node>>

note right of CILogon
  DataONE Authentication Service
  https://cilogon.org/?skin=dataone
end note
User -> CILogon: Authenticate
activate CILogon
CILogon -> User: auth_using_IDP

note right of IDP
  User selected
  Identity Provider
end note
User -> IDP: authenticate
activate IDP
IDP -> CILogon: user metadata
deactivate IDP
CILogon -> CN: getSubjectInfo
activate CN
CN -> CILogon: SubjectInfo
deactivate CN
CILogon -> CILogon: generate certificate
CILogon -> User: certificate_download_tool
User -> CILogon: download certificate
CILogon -> User: certificate
deactivate CILogon

@enduml

Figure 1. Obtaining a client side certificate from the CILogon service.

@startuml images/12_seq_b.png
actor User
participant CA <<Certificate Authority>>
participant CertProvider

note right of CA
  DataONE Certificate Authority. Requires
  manual interaction with DataONE
  administrators to generate certificate.
end note
User -> CA: Request certificate
activate CA
CA -> CA: Generate certificate
CA -> User: Certificate retrieval information
deactivate CA
User -> CertProvider: download Certificate
activate CertProvider
CertProvider -> User: Certificate
deactivate CertProvider

@enduml

Figure 2. Obtaining a long-lived client side certificate from DataONE.

@startuml images/12_seq_c.png
actor User
participant MN <<Member Node>>
note right of MN
  Member Node is shown, however
  process is the same for both
  Member and Coordianting Nodes
end note
User -> MN: restricted operation
activate MN
MN -> MN: verify credentials
MN -> User: response
deactivate MN
@enduml

Figure 3. Authenticated interaction with service provided by a Member or Coordinating Node.