User Authentication - A user or a service operating on behalf of a user authenticates against an identify provider to establish a certificate that can subsequently be used to identify the user.
Many operations in the DataONE system require affirmation of user identity to ensure that appropriate access controls can be asserted and other services such as citation and notification operate as expected.
The actual identity and authentication framework may exist outside of DataONE, and the first version of the infrastructure will be utilizing the certificate based services of the CILogon service.
The user obtains a certificate from the CILogon service, then uses that certificate to make API calls against DataONE Services.
Alternatively, a long lived certificate may be provided by DataONE for systems such as Member Nodes that need to authenticate with components of DataONE.
In each case, the provided certificate contains the subject, alternate subjects, and group memberships of the user. This information is used by services to determine if the caller has access to the requested resource.
User, Member Node, Coordinating Node, Authentication System
User is not authenticated in the system
A user logs on to the DataONE system.
A user needs to access a restricted operation.
A certificate is returned to the user that can be used by DataONE services to identify the user.
In the event of authentication failure the certificate will not be available.
Figure 1. Obtaining a client side certificate from the CILogon service.
Figure 2. Obtaining a long-lived client side certificate from DataONE.
Figure 3. Authenticated interaction with service provided by a Member or Coordinating Node.