[ogsa-authn-bof] SAML-Grid Name Mapping Framework
Tom Scavo
trscavo at gmail.com
Mon Feb 19 12:12:07 CST 2007
On 2/18/07, Nate Klingenstein <ndk at internet2.edu> wrote:
>
> The first is simply mapping some information sent by a Shibboleth IdP
> to something that can be embedded in a grid credential. This is
> important in two main scenarios: when authentication implicitly
> grants authorization, e.g. a list of names in an ACL, and the other
> is when we want to take something back out of that credential and use
> it to acquire additional information or credentials, e.g. attribute
> pull.
A third scenario---the scenario of most interest, in fact---involves
attribute push, where the X.509 certificate contains attributes and
other artifacts of authz. Of course VOMS is the most prevalent
example of attribute push in grids. While VOMS pushes X.509 attribute
certificates, however, we propose pushing SAML attribute assertions.
> Individual grid SP's or credential services should be
> able to extract the same SAML identifier and source from a given
> certificate. It then becomes the responsibility of the IdP or the DS
> to provide the right identifier for callbacks to itself and its
> friends.
Callbacks are only half the story, perhaps less than half.
> ... somewhere in the certificate, in the DN or
> in a certificate extension, two pieces of information are needed:
>
> 1. the IdP entityID (but I'd add the necessary addressing and
> protocol information as well, which may vary)
I don't think anything but the entityID is needed since I'm assuming
the existence of metadata at the Grid SP. A logical place for the
entityID is the Subject Information Access extension.
> 2. a SAML Subject
There are no less than three possibilities:
1. A fully formed SAML Subject might be added to the Subject Alt Name extension.
2. A SAML Subject might be extracted from an X.509-bound SAML assertion.
3. A SAML Subject might be fabricated on the fly using the Subject DN
of the certificate in a NameID having Format X509SubjectName.
To query, the Grid SP might check these three options in turn. See
https://spaces.internet2.edu/display/GS/GridSP
for details.
We don't necessarily see attribute push and attribute pull as mutually
exclusive. We might restrict the amount of pushed information for
privacy reasons, for instance.
Tom
More information about the ogsa-authn-bof
mailing list