Mock vs Real Single-Sign On

This document describes the differences between the single-sign on (SSO) solution for the Laboratory Catalog and Archive System for the National Institutes of Standards and Technology.

Mock SSO

The mock SSO solution for NIST LabCAS uses the mock-auth service to simulate an SSO solution by acting as a sample identity provider.

The service is launched from the docker-compose.yml file in the labcas-docker repository. The service is implemented as a Node application that listens on TCP port 3001 and responds to authentication requests over HTTP and returns a fixed JWT response token with the following hard-coded fields:

  • userId: testUser

  • userEmail: user@example.com

  • userName: Test

  • userLastName: User

  • winId: test1

  • Group: Mock Auth Group

The token is always named dummy-jwt-token-value and is returned on request to /sso/saml/login.

Note

The backend will not accept the dummy-jwt-token-value as valid unless it’s started with the ACCEPT_ANY_JWT environment variable set to the word DANGEROUS. This is a reminder that the mock SSO solution is not secure as it authenticates any and every user as valied and returns the dummy-jwt-token-value JWT for all users.

Actual SSO

The actual SSO solution for NIST LabCAS is yet to be determined. NIST runs a large user database and has an identity provider whose details are not yet known. What is known is that this SSO solution will provided JWT tokens with non-mock values (such as those listed above), and will be cryptographically signed by a private key. The only fields in the token that are guaranteed to be present are userId and userEmail.

Once the LabCAS user interface receives its redirection from the NIST SSO login screen, it is also given the signed JWT. The JWT can then be passed to the backend, which will use it to determine the user’s identity and permissions. Note that NIST SSO does not indicate group membership, so the backend will use LDAP at ldaps://edrn-ds.jpl.nasa.gov to look up group memberships for the user ID (using the userId field from the JWT)and use that information to check and enforcepermissions.

Administrators can manage group memberships using Biokey, a convenient web application for interacting with the LDAP server used by LabCAS (and used for group memberships only—although currently it is also used for users, as integration with the actual NIST SSO is ongoing).