[ogsa-authn-bof] Shibboleth/Grid Namespace mapping for SWITCH SLCS

Christoph Witzig witzig at switch.ch
Mon Feb 12 17:34:21 CST 2007 

Dear all,

I wanted to inject the rule how the SWITCHslcs DN gets constructed into 
this discussion:

The SWITCHslsc generates a X.509 certificate (not a proxy) based upon 
successful authentication at the Shibboleth IdP. The Shib attributes are 
used to construct the DN of the certificate in the following way:

Example:
Subject: DC=ch, DC=switch, DC=slcs, O=Switch - Teleinformatikdienste 
fuer Lehre und Forschung, CN=Christoph Witzig 8CA3021D

Quote from the CP/CPS:

For the distinguished name the following relative distinguished names 
(RDN) are required: DC, CN and either O or OU.
The distinguished name shall start with the following RDNs: 
/DC=ch/DC=switch/DC=slcs.
The organization RDN (O) contains the name of the institution operating 
the Identity Provider as registered in the Commercial Registry Office or 
used in an official document, such as cantonal law, e.g. ‘Switch - 
Teleinformatikdienste fuer Lehre und Forschung’.
If the identity provider of the requester is the virtual home 
organization, the O RDN is not present and the OU RDN is set to 
‘SWITCHaai Virtual Home Organization’.
The common name (CN) is constructed based on the attributes of the user 
as provided by his/her Identity Provider: CN=’givenname surname uniqueInt’.
Givenname and surname are the corresponding attributes of the user. The 
attribute definitions of SWITCHaai are derived from the eduPerson schema 
and are described in the attribute specification document available at 
http://www.switch.ch/aai/documents.
The uniqueInt is an immutable unique integer in hexadecimal format, 
generated out of the requester’s attributes as provided by the Identity 
Provider. The uniqueness of the uniqueInt, and therefore of the DN, is 
guaranteed by the SWITCHaai attribute UniqueID, which identifies an 
individual uniquely within the SWITCHaai federation.
If the optional subjectAltName extension is present, then it must 
contain an rfc822Name entry carrying the “e-mail” attribute of the user 
as provided by his/her Identity Provider

Cheers

Christoph

-- 
-------  SWITCH - The Swiss Education & Research Network  -------
Christoph Witzig         Security           http://www.switch.ch/
SWITCH, Neumuehlequai 6, P.O. Box,  CH-8021   Zurich, Switzerland
E-mail: witzig at switch.ch P: +41 44 268 15 66  F: +41 44 268 15 68

More information about the ogsa-authn-bof mailing list