Re: Knox with Ping

[Kevin Minder <ke...@hortonworks.com>]

Hey Benoy,
Glad you have some time to get this going.  Lets continue this 
conversation on dev@knox.  I'm guessing you are asking about which 
module this should go in.  My thinking is that this would go in a 
separate module probably called gateway-provider-security-ping or 
something similar.  If after some quick discussion that is the right 
answer I'd be happy to create a skeleton for you.  We should start 
though with getting an understanding of how to approach the Ping 
integration.  To start with I have questions like:
1) What will be added to the REST request when Ping is being used?
2) How will that be validated?  Callback to ping? Cryptographically?
3) How do you see group membership being obtained when Ping is used for SSO?
4) Other things that I hope Larry will be able to think of...
Kevin.

On 11/19/13 10:49 PM, Benoy Antony wrote:
> Larry, Kevin,
>
> hope you are keeping fine.
> If its appropriate, I can take up 
> https://issues.apache.org/jira/browse/KNOX-192 as I have some 
> bandwidth now.
>
> I have the new master version of knox and have the eclipse workspace 
> based on it. If I can take up this task, could you please let me know 
> which project should have this integration code ?
>
> thanks ,
> Benoy
>


-- 
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to 
which it is addressed and may contain information that is confidential, 
privileged and exempt from disclosure under applicable law. If the reader 
of this message is not the intended recipient, you are hereby notified that 
any printing, copying, dissemination, distribution, disclosure or 
forwarding of this communication is strictly prohibited. If you have 
received this communication in error, please contact the sender immediately 
and delete it from your system. Thank You.

Re: Knox with Ping

[larry mccay <la...@gmail.com>]

Yes, a SAML bearer token would work just fine.
Ping Federate has a number of these options.
The STS service may also be something to consider.
We can exchange one token type for another potentially a format that we can
make the Knox or Hadoop SSO token.
Let's investigate the options - especially those recommended by Ping for
REST - although OAuth is probably not what we want here.


On Thu, Nov 21, 2013 at 10:11 AM, Dilli Arumugam
<da...@hortonworks.com>wrote:

> Hi Benoy,
>
> I believe Ping would provide many ways of integration.
> Would be interested to know the options you considered.
>
> I believe Ping would support SAML artififact profile.
> Did you consider integrating with that?
> Would such an integrationbe more useful in that it can work across
> multiple SAML identity providers?
>
> .
> Thanks
> Dilli
>
>
> On Thu, Nov 21, 2013 at 7:00 AM, larry mccay <la...@gmail.com>wrote:
>
>> Hi Benoy -
>>
>> That seems like a reasonable approach forward.
>> I'm not sure that we will be able to directly use a cookie intended for a
>> specific server.
>>
>> There is an approach used by a number of SSO solutions in which a custom
>> header is created that contains the user identity and propagated to the
>> REST endpoints like this. We could sign or encrypt the header in order to
>> ensure that it is from a trusted application.
>>
>> I believe that this is the approach used in scenarios like SiteMinder
>> integration and others.
>>
>> While it is true that we really can't depend on a solution that requires
>> a user to satisfy a challenge based on a browser redirect to a login page,
>> it is probably not completely accurate to assume that we don't have REST
>> clients running in a browser. The use of something like XMLHttpRequest may
>> have to be used to set the custom header from javascript. Of course, server
>> side integration would also be possible with this sort of approach.
>>
>> We will just need a way to ensure that we can set identity token - either
>> custom HTTP header or Bearer Token type thing.
>> Whatever we do - needs to also be able to be done from curl.
>>
>> You probably want to determine what Ping's recommended approach to such
>> things is though.
>>
>> Feel free to ping me with any questions!
>>
>> thanks,
>>
>> --larry
>>
>>
>>
>> On Wed, Nov 20, 2013 at 5:34 PM, Benoy Antony <ba...@ebaysf.com> wrote:
>>
>>> Thanks guys.
>>>
>>> > 1) What will be added to the REST request when Ping is being used?
>>> > 2) How will that be validated?  Callback to ping? Cryptographically?
>>> > 3) How do you see group membership being obtained when Ping is used for
>>> > SSO?
>>>
>>> So far we used Ping to authenticate browser based access. In this case,
>>> Ping drops a cookie which contains the user's authentication information.
>>> In our case, we have the group information on the servers using ldap.
>>>
>>> The Authentication works via browsers redirects and information is
>>> shared using cookies.
>>>
>>> The information in cookie is encrypted using a secret shared between
>>> Ping and servers.
>>>
>>> I am trying to get more details on how to use Ping in non-browser
>>> usecase.  I am assuming , the knox usage is primary non-browser based.
>>>
>>> Once I get these details and based on inputs from you, I'll add a the
>>> design proposal to the jira.
>>>
>>>
>>>
>>> thanks,
>>> benoy
>>> ________________________________
>>> From: Dilli Arumugam [darumugam@hortonworks.com]
>>> Sent: Tuesday, November 19, 2013 10:27 PM
>>> To: dev@knox.incubator.apache.org
>>> Cc: Benoy Antony
>>> Subject: Re: Knox with Ping
>>>
>>> Welcome Benoy.
>>> Thanks
>>> Dilli
>>>
>>>
>>> On Tue, Nov 19, 2013 at 8:31 PM, larry mccay <larry.mccay@gmail.com
>>> <ma...@gmail.com>> wrote:
>>> Hi Benoy -
>>>
>>> Great to hear that you are interested in taking on KNOX-192!
>>> I think Kevin's questions are a great start.
>>>
>>> * I think that we have to determine how generic a solution it is either
>>> across providers or even across Ping products. I know that there is a
>>> Ping
>>> Federate in addition to other solutions. Are you proposing a solution
>>> that
>>> would integrate with one or more of these and can we find out
>>> specifically?
>>>
>>> * I also assume that we are talking about consuming a token that was the
>>> result of a previous Ping based authentication - not that we will be
>>> collecting credentials and authenticating against Ping. If this is
>>> correct,
>>> we are really talking about a federation provider rather than an
>>> authentication provider. This distinction is mostly informational and we
>>> may collapse the two into a security provider type at some point.
>>>
>>> * I think that updating the Jira with some of these details as an
>>> introduction to a proposal that answers Kevin's questions would be great.
>>>
>>> In terms of what the module will need to consist of - you can use
>>> gateway-provider-security-shiro as an example of an authentication
>>> provider.
>>>
>>> The central component for a security provider is the servlet filter that
>>> does the processing/validation of the identity token. We can talk through
>>> the other components in the shiro provider as needed in order to spin up
>>> a
>>> proper Ping provider. This process will also be great to derive
>>> documentation for developing provider from!
>>>
>>> Looking forward to your contribution, Benoy.
>>>
>>> thanks,
>>>
>>> --larry
>>>
>>>
>>> On Tue, Nov 19, 2013 at 10:57 PM, Kevin Minder <
>>> kevin.minder@hortonworks.com<ma...@hortonworks.com>
>>>
>>> > wrote:
>>>
>>> > Hey Benoy,
>>> > Glad you have some time to get this going.  Lets continue this
>>> > conversation on dev@knox.  I'm guessing you are asking about which
>>> module
>>> > this should go in.  My thinking is that this would go in a separate
>>> module
>>> > probably called gateway-provider-security-ping or something similar.
>>>  If
>>> > after some quick discussion that is the right answer I'd be happy to
>>> create
>>> > a skeleton for you.  We should start though with getting an
>>> understanding
>>> > of how to approach the Ping integration.  To start with I have
>>> questions
>>> > like:
>>> > 1) What will be added to the REST request when Ping is being used?
>>> > 2) How will that be validated?  Callback to ping? Cryptographically?
>>> > 3) How do you see group membership being obtained when Ping is used for
>>> > SSO?
>>> > 4) Other things that I hope Larry will be able to think of...
>>> > Kevin.
>>> >
>>> >
>>> > On 11/19/13 10:49 PM, Benoy Antony wrote:
>>> >
>>> >> Larry, Kevin,
>>> >>
>>> >> hope you are keeping fine.
>>> >> If its appropriate, I can take up https://issues.apache.org/
>>> >> jira/browse/KNOX-192 as I have some bandwidth now.
>>> >>
>>> >> I have the new master version of knox and have the eclipse workspace
>>> >> based on it. If I can take up this task, could you please let me know
>>> which
>>> >> project should have this integration code ?
>>> >>
>>> >> thanks ,
>>> >> Benoy
>>> >>
>>> >>
>>> >
>>> > --
>>> > CONFIDENTIALITY NOTICE
>>> > NOTICE: This message is intended for the use of the individual or
>>> entity
>>> > to which it is addressed and may contain information that is
>>> confidential,
>>> > privileged and exempt from disclosure under applicable law. If the
>>> reader
>>> > of this message is not the intended recipient, you are hereby notified
>>> that
>>> > any printing, copying, dissemination, distribution, disclosure or
>>> > forwarding of this communication is strictly prohibited. If you have
>>> > received this communication in error, please contact the sender
>>> immediately
>>> > and delete it from your system. Thank You.
>>> >
>>>
>>>
>>> CONFIDENTIALITY NOTICE
>>> NOTICE: This message is intended for the use of the individual or entity
>>> to which it is addressed and may contain information that is confidential,
>>> privileged and exempt from disclosure under applicable law. If the reader
>>> of this message is not the intended recipient, you are hereby notified that
>>> any printing, copying, dissemination, distribution, disclosure or
>>> forwarding of this communication is strictly prohibited. If you have
>>> received this communication in error, please contact the sender immediately
>>> and delete it from your system. Thank You.
>>>
>>
>>
>
> CONFIDENTIALITY NOTICE
> NOTICE: This message is intended for the use of the individual or entity
> to which it is addressed and may contain information that is confidential,
> privileged and exempt from disclosure under applicable law. If the reader
> of this message is not the intended recipient, you are hereby notified that
> any printing, copying, dissemination, distribution, disclosure or
> forwarding of this communication is strictly prohibited. If you have
> received this communication in error, please contact the sender immediately
> and delete it from your system. Thank You.
>

Re: Knox with Ping

[Dilli Arumugam <da...@hortonworks.com>]

Hi Benoy,

I believe Ping would provide many ways of integration.
Would be interested to know the options you considered.

I believe Ping would support SAML artififact profile.
Did you consider integrating with that?
Would such an integrationbe more useful in that it can work across multiple
SAML identity providers?

.
Thanks
Dilli


On Thu, Nov 21, 2013 at 7:00 AM, larry mccay <la...@gmail.com> wrote:

> Hi Benoy -
>
> That seems like a reasonable approach forward.
> I'm not sure that we will be able to directly use a cookie intended for a
> specific server.
>
> There is an approach used by a number of SSO solutions in which a custom
> header is created that contains the user identity and propagated to the
> REST endpoints like this. We could sign or encrypt the header in order to
> ensure that it is from a trusted application.
>
> I believe that this is the approach used in scenarios like SiteMinder
> integration and others.
>
> While it is true that we really can't depend on a solution that requires a
> user to satisfy a challenge based on a browser redirect to a login page, it
> is probably not completely accurate to assume that we don't have REST
> clients running in a browser. The use of something like XMLHttpRequest may
> have to be used to set the custom header from javascript. Of course, server
> side integration would also be possible with this sort of approach.
>
> We will just need a way to ensure that we can set identity token - either
> custom HTTP header or Bearer Token type thing.
> Whatever we do - needs to also be able to be done from curl.
>
> You probably want to determine what Ping's recommended approach to such
> things is though.
>
> Feel free to ping me with any questions!
>
> thanks,
>
> --larry
>
>
>
> On Wed, Nov 20, 2013 at 5:34 PM, Benoy Antony <ba...@ebaysf.com> wrote:
>
>> Thanks guys.
>>
>> > 1) What will be added to the REST request when Ping is being used?
>> > 2) How will that be validated?  Callback to ping? Cryptographically?
>> > 3) How do you see group membership being obtained when Ping is used for
>> > SSO?
>>
>> So far we used Ping to authenticate browser based access. In this case,
>> Ping drops a cookie which contains the user's authentication information.
>> In our case, we have the group information on the servers using ldap.
>>
>> The Authentication works via browsers redirects and information is shared
>> using cookies.
>>
>> The information in cookie is encrypted using a secret shared between Ping
>> and servers.
>>
>> I am trying to get more details on how to use Ping in non-browser
>> usecase.  I am assuming , the knox usage is primary non-browser based.
>>
>> Once I get these details and based on inputs from you, I'll add a the
>> design proposal to the jira.
>>
>>
>>
>> thanks,
>> benoy
>> ________________________________
>> From: Dilli Arumugam [darumugam@hortonworks.com]
>> Sent: Tuesday, November 19, 2013 10:27 PM
>> To: dev@knox.incubator.apache.org
>> Cc: Benoy Antony
>> Subject: Re: Knox with Ping
>>
>> Welcome Benoy.
>> Thanks
>> Dilli
>>
>>
>> On Tue, Nov 19, 2013 at 8:31 PM, larry mccay <larry.mccay@gmail.com
>> <ma...@gmail.com>> wrote:
>> Hi Benoy -
>>
>> Great to hear that you are interested in taking on KNOX-192!
>> I think Kevin's questions are a great start.
>>
>> * I think that we have to determine how generic a solution it is either
>> across providers or even across Ping products. I know that there is a Ping
>> Federate in addition to other solutions. Are you proposing a solution that
>> would integrate with one or more of these and can we find out
>> specifically?
>>
>> * I also assume that we are talking about consuming a token that was the
>> result of a previous Ping based authentication - not that we will be
>> collecting credentials and authenticating against Ping. If this is
>> correct,
>> we are really talking about a federation provider rather than an
>> authentication provider. This distinction is mostly informational and we
>> may collapse the two into a security provider type at some point.
>>
>> * I think that updating the Jira with some of these details as an
>> introduction to a proposal that answers Kevin's questions would be great.
>>
>> In terms of what the module will need to consist of - you can use
>> gateway-provider-security-shiro as an example of an authentication
>> provider.
>>
>> The central component for a security provider is the servlet filter that
>> does the processing/validation of the identity token. We can talk through
>> the other components in the shiro provider as needed in order to spin up a
>> proper Ping provider. This process will also be great to derive
>> documentation for developing provider from!
>>
>> Looking forward to your contribution, Benoy.
>>
>> thanks,
>>
>> --larry
>>
>>
>> On Tue, Nov 19, 2013 at 10:57 PM, Kevin Minder <
>> kevin.minder@hortonworks.com<ma...@hortonworks.com>
>>
>> > wrote:
>>
>> > Hey Benoy,
>> > Glad you have some time to get this going.  Lets continue this
>> > conversation on dev@knox.  I'm guessing you are asking about which
>> module
>> > this should go in.  My thinking is that this would go in a separate
>> module
>> > probably called gateway-provider-security-ping or something similar.  If
>> > after some quick discussion that is the right answer I'd be happy to
>> create
>> > a skeleton for you.  We should start though with getting an
>> understanding
>> > of how to approach the Ping integration.  To start with I have questions
>> > like:
>> > 1) What will be added to the REST request when Ping is being used?
>> > 2) How will that be validated?  Callback to ping? Cryptographically?
>> > 3) How do you see group membership being obtained when Ping is used for
>> > SSO?
>> > 4) Other things that I hope Larry will be able to think of...
>> > Kevin.
>> >
>> >
>> > On 11/19/13 10:49 PM, Benoy Antony wrote:
>> >
>> >> Larry, Kevin,
>> >>
>> >> hope you are keeping fine.
>> >> If its appropriate, I can take up https://issues.apache.org/
>> >> jira/browse/KNOX-192 as I have some bandwidth now.
>> >>
>> >> I have the new master version of knox and have the eclipse workspace
>> >> based on it. If I can take up this task, could you please let me know
>> which
>> >> project should have this integration code ?
>> >>
>> >> thanks ,
>> >> Benoy
>> >>
>> >>
>> >
>> > --
>> > CONFIDENTIALITY NOTICE
>> > NOTICE: This message is intended for the use of the individual or entity
>> > to which it is addressed and may contain information that is
>> confidential,
>> > privileged and exempt from disclosure under applicable law. If the
>> reader
>> > of this message is not the intended recipient, you are hereby notified
>> that
>> > any printing, copying, dissemination, distribution, disclosure or
>> > forwarding of this communication is strictly prohibited. If you have
>> > received this communication in error, please contact the sender
>> immediately
>> > and delete it from your system. Thank You.
>> >
>>
>>
>> CONFIDENTIALITY NOTICE
>> NOTICE: This message is intended for the use of the individual or entity
>> to which it is addressed and may contain information that is confidential,
>> privileged and exempt from disclosure under applicable law. If the reader
>> of this message is not the intended recipient, you are hereby notified that
>> any printing, copying, dissemination, distribution, disclosure or
>> forwarding of this communication is strictly prohibited. If you have
>> received this communication in error, please contact the sender immediately
>> and delete it from your system. Thank You.
>>
>
>

-- 
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to 
which it is addressed and may contain information that is confidential, 
privileged and exempt from disclosure under applicable law. If the reader 
of this message is not the intended recipient, you are hereby notified that 
any printing, copying, dissemination, distribution, disclosure or 
forwarding of this communication is strictly prohibited. If you have 
received this communication in error, please contact the sender immediately 
and delete it from your system. Thank You.

Re: Knox with Ping

[larry mccay <la...@gmail.com>]

Hi Benoy -

That seems like a reasonable approach forward.
I'm not sure that we will be able to directly use a cookie intended for a
specific server.

There is an approach used by a number of SSO solutions in which a custom
header is created that contains the user identity and propagated to the
REST endpoints like this. We could sign or encrypt the header in order to
ensure that it is from a trusted application.

I believe that this is the approach used in scenarios like SiteMinder
integration and others.

While it is true that we really can't depend on a solution that requires a
user to satisfy a challenge based on a browser redirect to a login page, it
is probably not completely accurate to assume that we don't have REST
clients running in a browser. The use of something like XMLHttpRequest may
have to be used to set the custom header from javascript. Of course, server
side integration would also be possible with this sort of approach.

We will just need a way to ensure that we can set identity token - either
custom HTTP header or Bearer Token type thing.
Whatever we do - needs to also be able to be done from curl.

You probably want to determine what Ping's recommended approach to such
things is though.

Feel free to ping me with any questions!

thanks,

--larry



On Wed, Nov 20, 2013 at 5:34 PM, Benoy Antony <ba...@ebaysf.com> wrote:

> Thanks guys.
>
> > 1) What will be added to the REST request when Ping is being used?
> > 2) How will that be validated?  Callback to ping? Cryptographically?
> > 3) How do you see group membership being obtained when Ping is used for
> > SSO?
>
> So far we used Ping to authenticate browser based access. In this case,
> Ping drops a cookie which contains the user's authentication information.
> In our case, we have the group information on the servers using ldap.
>
> The Authentication works via browsers redirects and information is shared
> using cookies.
>
> The information in cookie is encrypted using a secret shared between Ping
> and servers.
>
> I am trying to get more details on how to use Ping in non-browser usecase.
>  I am assuming , the knox usage is primary non-browser based.
>
> Once I get these details and based on inputs from you, I'll add a the
> design proposal to the jira.
>
>
>
> thanks,
> benoy
> ________________________________
> From: Dilli Arumugam [darumugam@hortonworks.com]
> Sent: Tuesday, November 19, 2013 10:27 PM
> To: dev@knox.incubator.apache.org
> Cc: Benoy Antony
> Subject: Re: Knox with Ping
>
> Welcome Benoy.
> Thanks
> Dilli
>
>
> On Tue, Nov 19, 2013 at 8:31 PM, larry mccay <larry.mccay@gmail.com
> <ma...@gmail.com>> wrote:
> Hi Benoy -
>
> Great to hear that you are interested in taking on KNOX-192!
> I think Kevin's questions are a great start.
>
> * I think that we have to determine how generic a solution it is either
> across providers or even across Ping products. I know that there is a Ping
> Federate in addition to other solutions. Are you proposing a solution that
> would integrate with one or more of these and can we find out specifically?
>
> * I also assume that we are talking about consuming a token that was the
> result of a previous Ping based authentication - not that we will be
> collecting credentials and authenticating against Ping. If this is correct,
> we are really talking about a federation provider rather than an
> authentication provider. This distinction is mostly informational and we
> may collapse the two into a security provider type at some point.
>
> * I think that updating the Jira with some of these details as an
> introduction to a proposal that answers Kevin's questions would be great.
>
> In terms of what the module will need to consist of - you can use
> gateway-provider-security-shiro as an example of an authentication
> provider.
>
> The central component for a security provider is the servlet filter that
> does the processing/validation of the identity token. We can talk through
> the other components in the shiro provider as needed in order to spin up a
> proper Ping provider. This process will also be great to derive
> documentation for developing provider from!
>
> Looking forward to your contribution, Benoy.
>
> thanks,
>
> --larry
>
>
> On Tue, Nov 19, 2013 at 10:57 PM, Kevin Minder <
> kevin.minder@hortonworks.com<ma...@hortonworks.com>
> > wrote:
>
> > Hey Benoy,
> > Glad you have some time to get this going.  Lets continue this
> > conversation on dev@knox.  I'm guessing you are asking about which
> module
> > this should go in.  My thinking is that this would go in a separate
> module
> > probably called gateway-provider-security-ping or something similar.  If
> > after some quick discussion that is the right answer I'd be happy to
> create
> > a skeleton for you.  We should start though with getting an understanding
> > of how to approach the Ping integration.  To start with I have questions
> > like:
> > 1) What will be added to the REST request when Ping is being used?
> > 2) How will that be validated?  Callback to ping? Cryptographically?
> > 3) How do you see group membership being obtained when Ping is used for
> > SSO?
> > 4) Other things that I hope Larry will be able to think of...
> > Kevin.
> >
> >
> > On 11/19/13 10:49 PM, Benoy Antony wrote:
> >
> >> Larry, Kevin,
> >>
> >> hope you are keeping fine.
> >> If its appropriate, I can take up https://issues.apache.org/
> >> jira/browse/KNOX-192 as I have some bandwidth now.
> >>
> >> I have the new master version of knox and have the eclipse workspace
> >> based on it. If I can take up this task, could you please let me know
> which
> >> project should have this integration code ?
> >>
> >> thanks ,
> >> Benoy
> >>
> >>
> >
> > --
> > CONFIDENTIALITY NOTICE
> > NOTICE: This message is intended for the use of the individual or entity
> > to which it is addressed and may contain information that is
> confidential,
> > privileged and exempt from disclosure under applicable law. If the reader
> > of this message is not the intended recipient, you are hereby notified
> that
> > any printing, copying, dissemination, distribution, disclosure or
> > forwarding of this communication is strictly prohibited. If you have
> > received this communication in error, please contact the sender
> immediately
> > and delete it from your system. Thank You.
> >
>
>
> CONFIDENTIALITY NOTICE
> NOTICE: This message is intended for the use of the individual or entity
> to which it is addressed and may contain information that is confidential,
> privileged and exempt from disclosure under applicable law. If the reader
> of this message is not the intended recipient, you are hereby notified that
> any printing, copying, dissemination, distribution, disclosure or
> forwarding of this communication is strictly prohibited. If you have
> received this communication in error, please contact the sender immediately
> and delete it from your system. Thank You.
>

RE: Knox with Ping

[Benoy Antony <ba...@ebaysf.com>]

Thanks guys.

> 1) What will be added to the REST request when Ping is being used?
> 2) How will that be validated?  Callback to ping? Cryptographically?
> 3) How do you see group membership being obtained when Ping is used for
> SSO?

So far we used Ping to authenticate browser based access. In this case, Ping drops a cookie which contains the user's authentication information. In our case, we have the group information on the servers using ldap.

The Authentication works via browsers redirects and information is shared using cookies.

The information in cookie is encrypted using a secret shared between Ping and servers.

I am trying to get more details on how to use Ping in non-browser usecase.  I am assuming , the knox usage is primary non-browser based.

Once I get these details and based on inputs from you, I'll add a the design proposal to the jira.



thanks,
benoy
________________________________
From: Dilli Arumugam [darumugam@hortonworks.com]
Sent: Tuesday, November 19, 2013 10:27 PM
To: dev@knox.incubator.apache.org
Cc: Benoy Antony
Subject: Re: Knox with Ping

Welcome Benoy.
Thanks
Dilli


On Tue, Nov 19, 2013 at 8:31 PM, larry mccay <la...@gmail.com>> wrote:
Hi Benoy -

Great to hear that you are interested in taking on KNOX-192!
I think Kevin's questions are a great start.

* I think that we have to determine how generic a solution it is either
across providers or even across Ping products. I know that there is a Ping
Federate in addition to other solutions. Are you proposing a solution that
would integrate with one or more of these and can we find out specifically?

* I also assume that we are talking about consuming a token that was the
result of a previous Ping based authentication - not that we will be
collecting credentials and authenticating against Ping. If this is correct,
we are really talking about a federation provider rather than an
authentication provider. This distinction is mostly informational and we
may collapse the two into a security provider type at some point.

* I think that updating the Jira with some of these details as an
introduction to a proposal that answers Kevin's questions would be great.

In terms of what the module will need to consist of - you can use
gateway-provider-security-shiro as an example of an authentication provider.

The central component for a security provider is the servlet filter that
does the processing/validation of the identity token. We can talk through
the other components in the shiro provider as needed in order to spin up a
proper Ping provider. This process will also be great to derive
documentation for developing provider from!

Looking forward to your contribution, Benoy.

thanks,

--larry


On Tue, Nov 19, 2013 at 10:57 PM, Kevin Minder <ke...@hortonworks.com>
> wrote:

> Hey Benoy,
> Glad you have some time to get this going.  Lets continue this
> conversation on dev@knox.  I'm guessing you are asking about which module
> this should go in.  My thinking is that this would go in a separate module
> probably called gateway-provider-security-ping or something similar.  If
> after some quick discussion that is the right answer I'd be happy to create
> a skeleton for you.  We should start though with getting an understanding
> of how to approach the Ping integration.  To start with I have questions
> like:
> 1) What will be added to the REST request when Ping is being used?
> 2) How will that be validated?  Callback to ping? Cryptographically?
> 3) How do you see group membership being obtained when Ping is used for
> SSO?
> 4) Other things that I hope Larry will be able to think of...
> Kevin.
>
>
> On 11/19/13 10:49 PM, Benoy Antony wrote:
>
>> Larry, Kevin,
>>
>> hope you are keeping fine.
>> If its appropriate, I can take up https://issues.apache.org/
>> jira/browse/KNOX-192 as I have some bandwidth now.
>>
>> I have the new master version of knox and have the eclipse workspace
>> based on it. If I can take up this task, could you please let me know which
>> project should have this integration code ?
>>
>> thanks ,
>> Benoy
>>
>>
>
> --
> CONFIDENTIALITY NOTICE
> NOTICE: This message is intended for the use of the individual or entity
> to which it is addressed and may contain information that is confidential,
> privileged and exempt from disclosure under applicable law. If the reader
> of this message is not the intended recipient, you are hereby notified that
> any printing, copying, dissemination, distribution, disclosure or
> forwarding of this communication is strictly prohibited. If you have
> received this communication in error, please contact the sender immediately
> and delete it from your system. Thank You.
>


CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You.

Re: Knox with Ping

[Dilli Arumugam <da...@hortonworks.com>]

Welcome Benoy.
Thanks
Dilli


On Tue, Nov 19, 2013 at 8:31 PM, larry mccay <la...@gmail.com> wrote:

> Hi Benoy -
>
> Great to hear that you are interested in taking on KNOX-192!
> I think Kevin's questions are a great start.
>
> * I think that we have to determine how generic a solution it is either
> across providers or even across Ping products. I know that there is a Ping
> Federate in addition to other solutions. Are you proposing a solution that
> would integrate with one or more of these and can we find out specifically?
>
> * I also assume that we are talking about consuming a token that was the
> result of a previous Ping based authentication - not that we will be
> collecting credentials and authenticating against Ping. If this is correct,
> we are really talking about a federation provider rather than an
> authentication provider. This distinction is mostly informational and we
> may collapse the two into a security provider type at some point.
>
> * I think that updating the Jira with some of these details as an
> introduction to a proposal that answers Kevin's questions would be great.
>
> In terms of what the module will need to consist of - you can use
> gateway-provider-security-shiro as an example of an authentication
> provider.
>
> The central component for a security provider is the servlet filter that
> does the processing/validation of the identity token. We can talk through
> the other components in the shiro provider as needed in order to spin up a
> proper Ping provider. This process will also be great to derive
> documentation for developing provider from!
>
> Looking forward to your contribution, Benoy.
>
> thanks,
>
> --larry
>
>
> On Tue, Nov 19, 2013 at 10:57 PM, Kevin Minder <
> kevin.minder@hortonworks.com
> > wrote:
>
> > Hey Benoy,
> > Glad you have some time to get this going.  Lets continue this
> > conversation on dev@knox.  I'm guessing you are asking about which
> module
> > this should go in.  My thinking is that this would go in a separate
> module
> > probably called gateway-provider-security-ping or something similar.  If
> > after some quick discussion that is the right answer I'd be happy to
> create
> > a skeleton for you.  We should start though with getting an understanding
> > of how to approach the Ping integration.  To start with I have questions
> > like:
> > 1) What will be added to the REST request when Ping is being used?
> > 2) How will that be validated?  Callback to ping? Cryptographically?
> > 3) How do you see group membership being obtained when Ping is used for
> > SSO?
> > 4) Other things that I hope Larry will be able to think of...
> > Kevin.
> >
> >
> > On 11/19/13 10:49 PM, Benoy Antony wrote:
> >
> >> Larry, Kevin,
> >>
> >> hope you are keeping fine.
> >> If its appropriate, I can take up https://issues.apache.org/
> >> jira/browse/KNOX-192 as I have some bandwidth now.
> >>
> >> I have the new master version of knox and have the eclipse workspace
> >> based on it. If I can take up this task, could you please let me know
> which
> >> project should have this integration code ?
> >>
> >> thanks ,
> >> Benoy
> >>
> >>
> >
> > --
> > CONFIDENTIALITY NOTICE
> > NOTICE: This message is intended for the use of the individual or entity
> > to which it is addressed and may contain information that is
> confidential,
> > privileged and exempt from disclosure under applicable law. If the reader
> > of this message is not the intended recipient, you are hereby notified
> that
> > any printing, copying, dissemination, distribution, disclosure or
> > forwarding of this communication is strictly prohibited. If you have
> > received this communication in error, please contact the sender
> immediately
> > and delete it from your system. Thank You.
> >
>

-- 
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to 
which it is addressed and may contain information that is confidential, 
privileged and exempt from disclosure under applicable law. If the reader 
of this message is not the intended recipient, you are hereby notified that 
any printing, copying, dissemination, distribution, disclosure or 
forwarding of this communication is strictly prohibited. If you have 
received this communication in error, please contact the sender immediately 
and delete it from your system. Thank You.

Re: Knox with Ping

[larry mccay <la...@gmail.com>]

Hi Benoy -

Great to hear that you are interested in taking on KNOX-192!
I think Kevin's questions are a great start.

* I think that we have to determine how generic a solution it is either
across providers or even across Ping products. I know that there is a Ping
Federate in addition to other solutions. Are you proposing a solution that
would integrate with one or more of these and can we find out specifically?

* I also assume that we are talking about consuming a token that was the
result of a previous Ping based authentication - not that we will be
collecting credentials and authenticating against Ping. If this is correct,
we are really talking about a federation provider rather than an
authentication provider. This distinction is mostly informational and we
may collapse the two into a security provider type at some point.

* I think that updating the Jira with some of these details as an
introduction to a proposal that answers Kevin's questions would be great.

In terms of what the module will need to consist of - you can use
gateway-provider-security-shiro as an example of an authentication provider.

The central component for a security provider is the servlet filter that
does the processing/validation of the identity token. We can talk through
the other components in the shiro provider as needed in order to spin up a
proper Ping provider. This process will also be great to derive
documentation for developing provider from!

Looking forward to your contribution, Benoy.

thanks,

--larry


On Tue, Nov 19, 2013 at 10:57 PM, Kevin Minder <kevin.minder@hortonworks.com
> wrote:

> Hey Benoy,
> Glad you have some time to get this going.  Lets continue this
> conversation on dev@knox.  I'm guessing you are asking about which module
> this should go in.  My thinking is that this would go in a separate module
> probably called gateway-provider-security-ping or something similar.  If
> after some quick discussion that is the right answer I'd be happy to create
> a skeleton for you.  We should start though with getting an understanding
> of how to approach the Ping integration.  To start with I have questions
> like:
> 1) What will be added to the REST request when Ping is being used?
> 2) How will that be validated?  Callback to ping? Cryptographically?
> 3) How do you see group membership being obtained when Ping is used for
> SSO?
> 4) Other things that I hope Larry will be able to think of...
> Kevin.
>
>
> On 11/19/13 10:49 PM, Benoy Antony wrote:
>
>> Larry, Kevin,
>>
>> hope you are keeping fine.
>> If its appropriate, I can take up https://issues.apache.org/
>> jira/browse/KNOX-192 as I have some bandwidth now.
>>
>> I have the new master version of knox and have the eclipse workspace
>> based on it. If I can take up this task, could you please let me know which
>> project should have this integration code ?
>>
>> thanks ,
>> Benoy
>>
>>
>
> --
> CONFIDENTIALITY NOTICE
> NOTICE: This message is intended for the use of the individual or entity
> to which it is addressed and may contain information that is confidential,
> privileged and exempt from disclosure under applicable law. If the reader
> of this message is not the intended recipient, you are hereby notified that
> any printing, copying, dissemination, distribution, disclosure or
> forwarding of this communication is strictly prohibited. If you have
> received this communication in error, please contact the sender immediately
> and delete it from your system. Thank You.
>