Authentication and authorization

Gazelle comes across several security problems :

  • Authentication of systems : SAML 2.0 (Security Assertion Markup Language 2.0)
  • Authentication of users : SSO (Single Sign On)
  • Webservice TLS (Transport Layer Security) : PKI (Public Key Infrastructure)

Gazelle Single Sign On : Authentication of users

Single Sign On : One Authentication shared by the different gazelle applications

As Gazelle is made of different webapps, it is necessary to share the authentication of the users among the different component.

Gazelle SSO

 

Single Sign On (SSO) using the CAS tool

To achieve that goal, SSO (Single Sign On) is used. When a user access a protected resource, the application validates its identity. If the user is not authenticated, it routes him to a shared application managing identities. When the user gets his credentials, he gives his ticket to the source application. That one checks against the SSO that the ticket is valid and authenticates him.

Therefore, user identities are shared among all applications. Gazelle CAS uses EU-CAT user database.

Gazelle is using Jasig CAS for SSO, feating perfectly all our needs. Applications have to be modified a bit to replace current authentication without too much effort.

However, Gazelle applications should be able to use or not the SSO. For Test Management and Product Registry, SSO can be enabled at runtime.

Gazelle's SSO is able to authenticate users using a X.509 browser certificate.

CAS autologin

As described in this page, Gazelle SSO supports authentication using X.509 certificates.

The CAS server asks the browser for a certificate proving identity. Process is seamless and allows magic login on Gazelle applications.

Automatic procedure (Firefox&Chrome)

Go to http://gazelle.ihe.net/pki/, login with your Gazelle credentials and go to http://gazelle.ihe.net/pki/request/createCAS.seam

If you are using Firefox, you can import CA certificate directly by clicking the first link. Otherwise, you have to download the PEM located here and install it in your browser.

You can also install an authentication certificate in your browser by clicking on "Compute certificate". Using this, you will not have to enter your login/password each time.

Note for development environments

To use the CAS autologin within your application (under development) on your machine, you need to add your cert on the Java keystore. To do that, follow those steps :

1. Download 643.pem

2. Execute the command :

On Windows :

C:\Program Files\Java\jdk1.6.0_26>.\jre\bin\keytool -keystore .\jre\lib\security\cacerts -storepass changeit -import -trustcacerts -v -alias ihe2 -file "C:\643.pem"

On MacOS :

sudo keytool -keystore /Library/Java/Home/lib/security/cacerts -storepass changeit -import -trustcacerts -v -alias ihe2 -file 643.pem

On Linux (JAVA_HOME can be /usr/local/jdk1.6, /usr/lib/jvm/java-6-oracle, or ...:

sudo $JAVA_HOME/jre/bin/keytool -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -import -trustcacerts -v -alias ihe2 -file 643.pem

3. Start or restart your JBoss AS.