[ogsa-authn-bof] Shibboleth/Grid Namespace Convergence

Nate Klingenstein ndk at internet2.edu
Mon Feb 5 22:26:14 CST 2007 

OGSA-Authn BoFfers,

At our meeting in North Carolina, I flagged the translation of names  
from the grid world to the institutional world and vice versa as  
being an important topic for discussion in the next several months.   
We need to begin to document current practices so that a path towards  
convergence can be identified.

I'd like to give a brief background for those on the list who aren't  
heavily steeped in this problem.  The various Shibboleth-grid  
integration projects out there all want to bootstrap grid  
authentication (and sometimes authorization) by use of institutional  
authentication.  This authentication generally results in a unique  
identifier for the user which differs in form from that used on the  
grid, and potentially in semantic meaning as well.

There is a lot of different types of identifiers.  If a campus is  
using LDAP, the user will also have a DN associated with their entry,  
but this directory DN is rarely used as an identifier in practice and  
usually won't correspond to those issued in x.509 certificates  
anyway.  Local practices for primary identifier vary based on local  
needs, and many institutions don't use LDAP at all.   
eduPersonPrincipalName, which takes the form of name at domain, has  
proven the most ubiquitous and successful in inter-realm deployment  
thus far.

The critical step is translation of the identifier that results from  
campus authentication to a grid-usable credential(and, potentially,  
vice-versa for callbacks).  This bootstrap can be performed in many  
ways at many different points.  Differences in practice could lead to  
non-interoperability and general confusion for grid SP's and campus  
IdP's alike.

There are several projects out there that have bridged this gap in  
creative ways, such as SHEBANGS, SLCS, and GridShib.  I'd like to  
invite each project to take some time within the next month to  
describe in a brief document how they linked Shibboleth  
authentication to the grid as a first step.  If there's a willingness  
to document additional passing of authorization or attribute  
information, I think that would be useful as well.

Cheers,
Nate.

More information about the ogsa-authn-bof mailing list