<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi Karl, Luca,<br>
<br>
We've updated the ESG-NCAR Gateway to address the issues noted
below. Users should now be able to login and successfully
download CMIP5 data using PCMDI9 OpenIDs.<br>
<br>
Thanks,<br>
<br>
-Eric<br>
<br>
<br>
On 8/3/2012 4:38 PM, Eric Nienhouse wrote:<br>
</div>
<blockquote cite="mid:501C52EE.8010301@ucar.edu" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
Hi Luca,<br>
<br>
Thanks for the details below. We're getting proper CMIP5 related
group attributes from the Attribute Service (ATS) at pcmdi9 when
asserting the CMIP5 related data access attributes as you note.<br>
<br>
We need to make a few changes to the Gateway to issue these SAML
requests in support of end-to-end authorized file downloads from
the TDS at ESG-NCAR.<br>
<br>
The CMIP5 download tests noted below as not requiring CMIP5
registration for access were made to the GFDL datanode. Other
nodes tested (e.g. pcmdi9, CMCC.it) require CMIP5 registration as
expected.<br>
<br>
I'll let you know once this is deployed to the production ESG-NCAR
Gateway and pcmdi9 OpenIDs can successfully download. A number of
folks are out on vacation, so it may be a bit until this is ready.<br>
<br>
-Eric<br>
<br>
On 8/2/2012 12:33 PM, Cinquini, Luca (3880) wrote:
<blockquote
cite="mid:7AEA50E4-58F8-4288-A746-7982BE90EB65@jpl.nasa.gov"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
Hi Nathan:
<div><br>
<div>
<div>On Aug 2, 2012, at 9:13 AM, Nathan Hook wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div>Hi Karl and Luca,<br>
<br>
To be clear authentication (authN) is working, the error
that you're both seeing is an authorization (authZ)
issue.<br>
</div>
</blockquote>
<div><br>
</div>
yes correct.<br>
<blockquote type="cite">
<div><br>
When we make a request to the saml attribute service at
pcmdi9 (<a moz-do-not-send="true"
href="https://pcmdi9.llnl.gov/esgf-idp/saml/soap/secure/attributeService.htm">https://pcmdi9.llnl.gov/esgf-idp/saml/soap/secure/attributeService.htm</a>)
we always get an attribute response that has a user's
first name, last name, and email, but no listing of
groups to which that user belongs.<br>
<br>
We have tried the following openids in the saml
attribute request:<br>
<a moz-do-not-send="true"
href="https://pcmdi9.llnl.gov/esgf-idp/openid/nathanhook">https://pcmdi9.llnl.gov/esgf-idp/openid/nathanhook</a><br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://www.earthsystemgrid.org/myopenid/nhook">https://www.earthsystemgrid.org/myopenid/nhook</a><br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://pcmdi9.llnl.gov/esgf-idp/openid/lucacinquini">https://pcmdi9.llnl.gov/esgf-idp/openid/lucacinquini</a><br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://pcmdi3.llnl.gov/esgcet/myopenid/oscar.nienhouse">https://pcmdi3.llnl.gov/esgcet/myopenid/oscar.nienhouse</a><br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://pcmdi9.llnl.gov/esgf-idp/openid/taylor13">https://pcmdi9.llnl.gov/esgf-idp/openid/taylor13</a><br>
<br>
Since we're not getting back any group information from
the saml requests, our system seems to be doing the
correct behavior (denying access) at this time.<br>
<br>
Is there a different way that we should be authorizing a
user's access to cmip5 data?<br>
</div>
</blockquote>
<div><br>
</div>
<div>Please see below for an example of SAML request to the
pcmdi9 attribute service, and correspondent HTTP response.
Basically, if the client asks for the attributes named
"CMIP5 Commercial" and "CMIP5 Research", their values will
be returned, if found (i.e. the user has obtained CMIP5
membership).</div>
<div><br>
</div>
<blockquote type="cite">
<div><br>
FYI, I was able to download data directly from <a
moz-do-not-send="true"
href="http://pcmdi9.llnl.gov/esgf-web-fe/">
http://pcmdi9.llnl.gov/esgf-web-fe/</a> with both my
pcmdi9 and <a moz-do-not-send="true"
href="http://www.earthsystemgrid.org">
www.earthsystemgrid.org</a> openids without having to
request access to the cmipi5 group. Has group
registration been turned off or is group registration no
longer required to access cmip5 data?</div>
</blockquote>
<br>
</div>
<div>The security enforcement is really established by the
data node, not the web-fe. Which dataset were you trying to
download ? I know GFDL provides free access to their data,
all other data nodes should require CMIP5 membership. I just
verified that, with a new pcmdi9 openid, I am asked to
register when requesting data from the pcmdi9 datanode. </div>
<div>Also, the old memberships have been transferred to the
new system, so your <a moz-do-not-send="true"
href="http://www.earthsystemgrid.org">
www.earthsystemgrid.org</a> openid should already be
enabled. I can only explain the success of your pcmsi9
openid if:</div>
<div>a) somehow you had enrolled in CMIP5 at some point</div>
<div>b) or, you were really downloading free data from GFDL</div>
<div><br>
</div>
<div>thanks, Luca</div>
<div><br>
<blockquote type="cite">
<div><br>
Thank you for your time.<br>
<br>
Warm Regards,<br>
<br>
Nathan H.<br>
<br>
<br>
PS: We also tried all the above openids against the
attribute service at pcmdi7 (<a moz-do-not-send="true"
href="https://pcmdi7.llnl.gov/esgf-security/saml/soap/secure/attributeService.htm">https://pcmdi7.llnl.gov/esgf-security/saml/soap/secure/attributeService.htm</a>).
All the pcmdi9 openids returned an UnknownPrincipal
response, while the <a moz-do-not-send="true"
href="http://www.earthsystemgrid.org">
www.earthsystemgrid.org</a> and pcmdi3 openids
returned appropriate group information.<br>
</div>
</blockquote>
<div><br>
</div>
=====================================================================================================</div>
<div><br>
</div>
<div>
<div>[DEBUG] esg.security.common.SOAPServiceClient: Querying
SOAP endpoint: <a moz-do-not-send="true"
href="https://pcmdi9.llnl.gov/esgf-idp/saml/soap/secure/attributeService.htm">https://pcmdi9.llnl.gov/esgf-idp/saml/soap/secure/attributeService.htm</a>
timeout=10000 milliseconds</div>
<div>[DEBUG] esg.security.common.SOAPServiceClient: <?xml
version="1.0" encoding="UTF-8"?><soap11:Envelope
xmlns:soap11="<a moz-do-not-send="true"
href="http://schemas.xmlsoap.org/soap/envelope/">http://schemas.xmlsoap.org/soap/envelope/</a>"></div>
<div> <soap11:Body></div>
<div> <saml2p:AttributeQuery
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
ID="63c0c153-a6dc-42d7-9b50-30801c9f3d57"
IssueInstant="2012-08-02T18:21:03.380Z" Version="2.0"></div>
<div> <saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">ESGF
Authorization Service</saml2:Issuer></div>
<div> <saml2:Subject
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"></div>
<div> <saml2:NameID
Format="urn:esg:openid"><b><a moz-do-not-send="true"
href="https://pcmdi9.llnl.gov/esgf-idp/openid/lucacinquini">https://pcmdi9.llnl.gov/esgf-idp/openid/lucacinquini</a></b></saml2:NameID></div>
<div> </saml2:Subject></div>
<div> <saml2:Attribute
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Name="CMIP5 Commercial" NameFormat="<a
moz-do-not-send="true"
href="http://www.w3.org/2001/XMLSchema#string">http://www.w3.org/2001/XMLSchema#string</a>"/></div>
<div> <saml2:Attribute
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Name="<b>CMIP5
Research</b>" NameFormat="<a moz-do-not-send="true"
href="http://www.w3.org/2001/XMLSchema#string">http://www.w3.org/2001/XMLSchema#string</a>"/></div>
<div> <saml2:Attribute
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Name="urn:esg:group:role" NameFormat="<a
moz-do-not-send="true"
href="http://www.w3.org/2001/XMLSchema#string">http://www.w3.org/2001/XMLSchema#string</a>"/></div>
<div> </saml2p:AttributeQuery></div>
<div> </soap11:Body></div>
<div></soap11:Envelope></div>
<div><br>
</div>
<div>[DEBUG] esg.security.common.SOAPServiceClient: Response
header name=Server value=Apache-Coyote/1.1</div>
<div>[DEBUG] esg.security.common.SOAPServiceClient: Response
header name=Content-Type value=text/xml</div>
<div>[DEBUG] esg.security.common.SOAPServiceClient: Response
header name=Content-Length value=1760</div>
<div>[DEBUG] esg.security.common.SOAPServiceClient: Response
header name=Date value=Thu, 02 Aug 2012 18:21:03 GMT</div>
<div>[DEBUG] esg.security.common.SOAPServiceClient: <?xml
version="1.0" encoding="UTF-8"?><soap11:Envelope
xmlns:soap11="<a moz-do-not-send="true"
href="http://schemas.xmlsoap.org/soap/envelope/">http://schemas.xmlsoap.org/soap/envelope/</a>"></div>
<div> <soap11:Body></div>
<div> <saml2p:Response
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
ID="543c8eb4-1958-4f90-b763-e00aadc9249d"
InResponseTo="63c0c153-a6dc-42d7-9b50-30801c9f3d57"
IssueInstant="2012-08-02T18:21:03.528Z" Version="2.0"></div>
<div> <saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">ESGF
Attribute Service</saml2:Issuer></div>
<div> <saml2p:Status></div>
<div> <saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></div>
<div> </saml2p:Status></div>
<div> <saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="51ca7a30-42a4-4af5-b704-275e4cc5b91d"
IssueInstant="2012-08-02T18:21:03.531Z" Version="2.0"></div>
<div> <saml2:Issuer
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">ESGF
Attribute Service</saml2:Issuer></div>
<div> <saml2:Subject></div>
<div> <saml2:NameID
Format="urn:esg:openid"><b><a moz-do-not-send="true"
href="https://pcmdi9.llnl.gov/esgf-idp/openid/lucacinquini">https://pcmdi9.llnl.gov/esgf-idp/openid/lucacinquini</a></b></saml2:NameID></div>
<div> </saml2:Subject></div>
<div> <saml2:Conditions
NotBefore="2012-08-02T18:21:03.531Z"
NotOnOrAfter="2012-08-03T18:21:03.531Z"/></div>
<div> <saml2:AttributeStatement></div>
<div> <saml2:Attribute Name="<b>CMIP5
Research</b>" NameFormat="<a moz-do-not-send="true"
href="http://www.w3.org/2001/XMLSchema#string">http://www.w3.org/2001/XMLSchema#string</a>"></div>
<div> <saml2:AttributeValue xmlns:xs="<a
moz-do-not-send="true"
href="http://www.w3.org/2001/XMLSchema">http://www.w3.org/2001/XMLSchema</a>"
xmlns:xsi="<a moz-do-not-send="true"
href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>"
xsi:type="xs:string"><b>user</b></saml2:AttributeValue></div>
<div> </saml2:Attribute></div>
<div> </saml2:AttributeStatement></div>
<div> </saml2:Assertion></div>
<div> </saml2p:Response></div>
<div> </soap11:Body></div>
<div></soap11:Envelope></div>
<div><br>
</div>
<div>=========================================================================================</div>
<blockquote type="cite">
<div><br>
<br>
<br>
On 8/1/2012 9:36 AM, Karl Taylor wrote:<br>
<blockquote type="cite">Hi Nate,<br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">Even with a pcmdi9 openid, I get
this error:<br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">so something is not quite right
yet.<br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">thanks,<br>
</blockquote>
<blockquote type="cite">Karl<br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">On 8/1/12 7:52 AM, Cinquini,
Luca (3880) wrote:<br>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">Hi Nate,<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span class="Apple-tab-span"
style="white-space:pre"></span>thanks, this is a
good step forward. I noticed the following though:<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">o The authorization system on
the TDS server still doesn't seem to be compatible
with P2P - I got an "Access Denied" when trying to
download a file with my CMIP5-enabled pcmdi9 openid.<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">o Is there any plan to support
authentication with any P2P openid, not just pcmdi9
?<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">thanks, Luca<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">On Jul 31, 2012, at 2:16 PM,
Nathan Wilhelmi wrote:<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">Hello,<br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">To follow up from the last
telco, PCMDI9 OpenID's can now be used at the<br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">NCAR site.<br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">Thanks!<br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">-Nate<br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">_______________________________________________<br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">GO-ESSP-TECH mailing list<br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><a moz-do-not-send="true"
href="mailto:GO-ESSP-TECH@ucar.edu">GO-ESSP-TECH@ucar.edu</a><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><a moz-do-not-send="true"
href="http://mailman.ucar.edu/mailman/listinfo/go-essp-tech">http://mailman.ucar.edu/mailman/listinfo/go-essp-tech</a><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">_______________________________________________<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">GO-ESSP-TECH mailing list<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><a moz-do-not-send="true"
href="mailto:GO-ESSP-TECH@ucar.edu">GO-ESSP-TECH@ucar.edu</a><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><a moz-do-not-send="true"
href="http://mailman.ucar.edu/mailman/listinfo/go-essp-tech">http://mailman.ucar.edu/mailman/listinfo/go-essp-tech</a><br>
</blockquote>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">_______________________________________________<br>
</blockquote>
<blockquote type="cite">GO-ESSP-TECH mailing list<br>
</blockquote>
<blockquote type="cite"><a moz-do-not-send="true"
href="mailto:GO-ESSP-TECH@ucar.edu">GO-ESSP-TECH@ucar.edu</a><br>
</blockquote>
<blockquote type="cite"><a moz-do-not-send="true"
href="http://mailman.ucar.edu/mailman/listinfo/go-essp-tech">http://mailman.ucar.edu/mailman/listinfo/go-essp-tech</a><br>
</blockquote>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
GO-ESSP-TECH mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:GO-ESSP-TECH@ucar.edu">GO-ESSP-TECH@ucar.edu</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://mailman.ucar.edu/mailman/listinfo/go-essp-tech">http://mailman.ucar.edu/mailman/listinfo/go-essp-tech</a>
</pre>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>