[Nsi-wg] Issue 28 in ogf-nsi-project: Security
ogf-nsi-project at googlecode.com
ogf-nsi-project at googlecode.com
Fri Oct 7 05:17:12 CDT 2011
Comment #5 on issue 28 by thost... at gmail.com: Security
http://code.google.com/p/ogf-nsi-project/issues/detail?id=28
I'd like to try and get SAML out of the WSDL before the SC11 demo. SAML is
typically used in single sign on between identity provider and service
providers. It does not really fit into NSI.
We may have the need to have something like sessionSecurityAttr, though
often these attributes are not related to security, but are typically
request meta-data. Perhaps we could just call them sessionAttributes. Anyay
I think the scheme with Name/Value in the protocol spec. e.g.:
<sessionAttribute>
<name> ... </name>
<value> ... </value>
</sessionAttribute>
and a slighly more real example:
<sessionAttribute>
<name>requesterIdentity</name>
<value>nsiuser at example.com</value>
</sessionAttribute>
The idea here is to have a place for connection information. What it should
NOT be used for is any authentication or authorization, and ideally the
attributs can be stripped without any reprocussions.
If possible I would like to use this for SC11 visualization query tool,
which could add something like:
<sessionAttribute>
<name>requesterIdentity</name>
<value>NSIVisualizationTool</value>
</sessionAttribute>
Which would indicate to the NSI agent, that it should return all
connections in the query made. This can of course be combined with proper
authentication/authorization when we have that, but right we don't. Well
there is the IP address, which can be made available from the MTL /
protocol layer.
More information about the nsi-wg
mailing list