[ogsa-authn-bof] Shibboleth/Grid Namespace mapping for SWITCH SLCS
Christoph Witzig
witzig at switch.ch
Mon Feb 12 17:34:21 CST 2007
Dear all,
I wanted to inject the rule how the SWITCHslcs DN gets constructed into
this discussion:
The SWITCHslsc generates a X.509 certificate (not a proxy) based upon
successful authentication at the Shibboleth IdP. The Shib attributes are
used to construct the DN of the certificate in the following way:
Example:
Subject: DC=ch, DC=switch, DC=slcs, O=Switch - Teleinformatikdienste
fuer Lehre und Forschung, CN=Christoph Witzig 8CA3021D
Quote from the CP/CPS:
For the distinguished name the following relative distinguished names
(RDN) are required: DC, CN and either O or OU.
The distinguished name shall start with the following RDNs:
/DC=ch/DC=switch/DC=slcs.
The organization RDN (O) contains the name of the institution operating
the Identity Provider as registered in the Commercial Registry Office or
used in an official document, such as cantonal law, e.g. ‘Switch -
Teleinformatikdienste fuer Lehre und Forschung’.
If the identity provider of the requester is the virtual home
organization, the O RDN is not present and the OU RDN is set to
‘SWITCHaai Virtual Home Organization’.
The common name (CN) is constructed based on the attributes of the user
as provided by his/her Identity Provider: CN=’givenname surname uniqueInt’.
Givenname and surname are the corresponding attributes of the user. The
attribute definitions of SWITCHaai are derived from the eduPerson schema
and are described in the attribute specification document available at
http://www.switch.ch/aai/documents.
The uniqueInt is an immutable unique integer in hexadecimal format,
generated out of the requester’s attributes as provided by the Identity
Provider. The uniqueness of the uniqueInt, and therefore of the DN, is
guaranteed by the SWITCHaai attribute UniqueID, which identifies an
individual uniquely within the SWITCHaai federation.
If the optional subjectAltName extension is present, then it must
contain an rfc822Name entry carrying the “e-mail” attribute of the user
as provided by his/her Identity Provider
Cheers
Christoph
--
------- SWITCH - The Swiss Education & Research Network -------
Christoph Witzig Security http://www.switch.ch/
SWITCH, Neumuehlequai 6, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: witzig at switch.ch P: +41 44 268 15 66 F: +41 44 268 15 68
More information about the ogsa-authn-bof
mailing list