VRE Diagram

1. Diagram

Diagram 1, shows the interaction of a User and a pair of VREs, the users' home institution and the federations' WAYF play a supporting role. The user first views a protected page in VRE1 and then follows a link on that page to a protected page in VRE2. The institutions hosting the VRE and the users' home institution are all assumed to be part of the same Shibboleth federation.

The WAYF and IdP store information in cookies, so logging on to a second VRE is actually faster than logging into a first, because both can issue redirects immediately rather than asking the user for information first and then doing a redirect.

http://static.flickr.com/109/309422449_414cefd2e2_o_d.png

Accessing a proected page on the first VRE involves the following steps:

  1. The user requests a protected web page from VRE 1.
  2. The user has not visited VRE 1 before, so is redirected to the WAYF (Where Are You From) for the federation.

  3. The WAYF determines the which institution the user belongs to and redirects them to the IdP (Identity Provider) for that institution. This determination can be done by user selection, with hints based on where they are connecting from. Once determined this information is stored in a very long-lived cookie, so the user need not see the WAYF again.

  4. The IdP logs the user in and redirects the the user back to VRE 1. Most IdPs use session cookies with 8-12 hours of life, so the user only sees the actual login page first thing every morning. Some IdPs (such as the WebAuth one used at Oxford) have an extra page in here, which is user for user-education about the security system.

  5. If VRE1 needs to examine user attributes to determine whether the user has access to the page, it then connects to the AA (Attribute Authority), to obtain user attributes. All current VREs do this.

  6. The AA returns a set of user attributes for the user, based on the previous login.
  7. VRE 1 then checks the user attributes to determine whether the user is allowed to access the page, assembles the page and returns the resulting page to the user.

Accessing a proected page on the second VRE involves the following steps:

  1. The user clicks on a link from the protected page served by VRE 1 which is a link to a protected page in VRE 2
  2. The user has not visited VRE 2 before, so is redirected to the WAYF for the federation.
  3. The WAYF remembers which institution a user is from (because it stored it in a cookie in step (3)) and redirects the user straight to their IdP
  4. The IdP remembers that the user is still logged in (because it stored a cookie in step (4) and redirects the user straight back to the VRE 2.
  5. If VRE 2 needs to examine user attributes to determine whether the user has access to the page, it then connects to the AA, to obtain user attributes.
  6. The AA returns a set of user attributes for the user, based on the previous login.
  7. VRE 2 then checks the user attributes to determine whether the user is allowed to access the page, assembles the page and returns the resulting page to the user.

This diagram is avaliable from flickr: http://www.flickr.com/photos/stuartyeates/309422449/


-- StuartYeates 2006-11-29 12:20:22

OSSWatchWiki: SakaiVre/VREDiagram (last edited 2013-04-15 13:56:18 by localhost)

Creative Commons License
The content of this wiki is licensed under the Creative Commons Attribution-ShareAlike 2.0 England & Wales Licence.

OSS Watch is funded by the Joint Information Systems Committee (JISC) and is situated within the Research Technologies Service (RTS) of the University of Oxford.