[ogsa-authn-bof] Shibboleth/Grid Namespace Convergence
Nate Klingenstein
ndk at internet2.edu
Mon Feb 5 22:26:14 CST 2007
OGSA-Authn BoFfers,
At our meeting in North Carolina, I flagged the translation of names
from the grid world to the institutional world and vice versa as
being an important topic for discussion in the next several months.
We need to begin to document current practices so that a path towards
convergence can be identified.
I'd like to give a brief background for those on the list who aren't
heavily steeped in this problem. The various Shibboleth-grid
integration projects out there all want to bootstrap grid
authentication (and sometimes authorization) by use of institutional
authentication. This authentication generally results in a unique
identifier for the user which differs in form from that used on the
grid, and potentially in semantic meaning as well.
There is a lot of different types of identifiers. If a campus is
using LDAP, the user will also have a DN associated with their entry,
but this directory DN is rarely used as an identifier in practice and
usually won't correspond to those issued in x.509 certificates
anyway. Local practices for primary identifier vary based on local
needs, and many institutions don't use LDAP at all.
eduPersonPrincipalName, which takes the form of name at domain, has
proven the most ubiquitous and successful in inter-realm deployment
thus far.
The critical step is translation of the identifier that results from
campus authentication to a grid-usable credential(and, potentially,
vice-versa for callbacks). This bootstrap can be performed in many
ways at many different points. Differences in practice could lead to
non-interoperability and general confusion for grid SP's and campus
IdP's alike.
There are several projects out there that have bridged this gap in
creative ways, such as SHEBANGS, SLCS, and GridShib. I'd like to
invite each project to take some time within the next month to
describe in a brief document how they linked Shibboleth
authentication to the grid as a first step. If there's a willingness
to document additional passing of authorization or attribute
information, I think that would be useful as well.
Cheers,
Nate.
More information about the ogsa-authn-bof
mailing list