[ogsa-authn-bof] Shibboleth/Grid Namespace mapping for SWITCH SLCS

Von Welch vwelch at ncsa.uiuc.edu
Tue Feb 13 14:04:30 CST 2007 

Christoph,

  I believe we are nearly in alignment with our conversion algorithms.

  As I see it, your uniqueInt is equivalent to my suggested use of a  
targetedId - it's a globally unique, permanent user identifier.  
Your's is scoped to the SWITCH federation as opposed to ePTID which  
is scoped to the recipient, but I'm not sure that matters.

  For your Organizational component, how do you derive this string?  
Is in conveyed in an attribute or from metadata or some other means?  
I'd previously considered using the IdP identifier in this field, was  
convinced it was unnecessary, but am not against the idea.

Von

On Feb 12, 2007, at 5:34 PM, Christoph Witzig wrote:

> Dear all,
>
> I wanted to inject the rule how the SWITCHslcs DN gets constructed  
> into
> this discussion:
>
> The SWITCHslsc generates a X.509 certificate (not a proxy) based upon
> successful authentication at the Shibboleth IdP. The Shib  
> attributes are
> used to construct the DN of the certificate in the following way:
>
> Example:
> Subject: DC=ch, DC=switch, DC=slcs, O=Switch - Teleinformatikdienste
> fuer Lehre und Forschung, CN=Christoph Witzig 8CA3021D
>
> Quote from the CP/CPS:
>
> For the distinguished name the following relative distinguished names
> (RDN) are required: DC, CN and either O or OU.
> The distinguished name shall start with the following RDNs:
> /DC=ch/DC=switch/DC=slcs.
> The organization RDN (O) contains the name of the institution  
> operating
> the Identity Provider as registered in the Commercial Registry  
> Office or
> used in an official document, such as cantonal law, e.g. ‘Switch -
> Teleinformatikdienste fuer Lehre und Forschung’.
> If the identity provider of the requester is the virtual home
> organization, the O RDN is not present and the OU RDN is set to
> ‘SWITCHaai Virtual Home Organization’.
> The common name (CN) is constructed based on the attributes of the  
> user
> as provided by his/her Identity Provider: CN=’givenname surname  
> uniqueInt’.
> Givenname and surname are the corresponding attributes of the user.  
> The
> attribute definitions of SWITCHaai are derived from the eduPerson  
> schema
> and are described in the attribute specification document available at
> http://www.switch.ch/aai/documents.
> The uniqueInt is an immutable unique integer in hexadecimal format,
> generated out of the requester’s attributes as provided by the  
> Identity
> Provider. The uniqueness of the uniqueInt, and therefore of the DN, is
> guaranteed by the SWITCHaai attribute UniqueID, which identifies an
> individual uniquely within the SWITCHaai federation.
> If the optional subjectAltName extension is present, then it must
> contain an rfc822Name entry carrying the “e-mail” attribute of the  
> user
> as provided by his/her Identity Provider
>
> Cheers
>
> Christoph
>
> -- 
> -------  SWITCH - The Swiss Education & Research Network  -------
> Christoph Witzig         Security           http://www.switch.ch/
> SWITCH, Neumuehlequai 6, P.O. Box,  CH-8021   Zurich, Switzerland
> E-mail: witzig at switch.ch P: +41 44 268 15 66  F: +41 44 268 15 68
>
>
> _______________________________________________
> ogsa-authn-bof mailing list
> ogsa-authn-bof at ogf.org
> http://www.ogf.org/mailman/listinfo/ogsa-authn-bof
>

More information about the ogsa-authn-bof mailing list