...
Anchor | ||||
---|---|---|---|---|
|
Title (goal) | External Authentication and Authorization |
---|---|
Primary Actor | developer, consuming applications |
Scope | Organizational, black box |
Level | |
Story | 1. User on a browser clicks on a link to see information about a digital object in Fedora. The request will pass through a few layers of front-end applications before it reaches Fedora.
2. Fedora receives the anonymous request for the resource (object, datastream, datastream metadata, etc.). It asks the external PDP if this resource is accessible; no role attributes are delivered to the PDP (an anonymous, public request).
At this point, the front-end application decides what to do with that 401: in our case, it will redirect the user to an authenticating web service, protected by Shibboleth; the authentication web service will do the Shibboleth dance, then redirect the user back to the front end web application, with user attributes included. 3. The front-end web web application will re-request the resource from Fedora, this time with user attribute information. 4. Fedora receives the authenticated request for the resource. It asks the PDP again if the resource is accessible, this time passing along user attributes.
At this point, the front-end application decides what to do with the 403: show an error page, mask with a 404, etc. |
...