[ogsa-authn-bof] Shibboleth/Grid Namespace mapping for SWITCH SLCS

Christoph Witzig witzig at switch.ch
Thu Feb 15 00:19:27 CST 2007 

Hi Von,

>  I believe we are nearly in alignment with our conversion algorithms.
>
>  As I see it, your uniqueInt is equivalent to my suggested use of a 
> targetedId - it's a globally unique, permanent user identifier. Your's 
> is scoped to the SWITCH federation as opposed to ePTID which is scoped 
> to the recipient, but I'm not sure that matters.
>
>  For your Organizational component, how do you derive this string? Is 
> in conveyed in an attribute or from metadata or some other means? I'd 
> previously considered using the IdP identifier in this field, was 
> convinced it was unnecessary, but am not against the idea.
How is the DN constructed?

The SLCS server reads the rule how the DN shall be constructed from an 
XML configuration file. In this rule there are
- constant parts (e.g. DC=ch, DC=switch, DC=slcs, )
- take the Shibboleth attribute as it is provided by the IdP
- map the Shibboleth attribute to another value
- transform the Shibboleth attribute (e.g. take the hash value).

The organizational component is one of the mapped values, i.e. the 
Shibboleth value is mapped to the legal name of the company (resp. 
university), e.g. Shib value = "switch.ch" ==> mapped Value = "Switch - 
Teleinformatikdienste fuer Lehre und Forschung".

The entry for the DNPattern is the XML file for the SWITCHslcs is:

 <DNPattern>DC=ch\,DC=switch\,DC=slcs\,mappedValue(${Shib-SwissEP-HomeOrganization})\,CN=${Shib-InetOrgPerson-givenName} 
${Shib-Person-surname} hashValue(${Shib-SwissEP-UniqueID})</DNPattern>

Cheers

Christoph


>
> Von
>
> On Feb 12, 2007, at 5:34 PM, Christoph Witzig wrote:
>
>> Dear all,
>>
>> I wanted to inject the rule how the SWITCHslcs DN gets constructed into
>> this discussion:
>>
>> The SWITCHslsc generates a X.509 certificate (not a proxy) based upon
>> successful authentication at the Shibboleth IdP. The Shib attributes are
>> used to construct the DN of the certificate in the following way:
>>
>> Example:
>> Subject: DC=ch, DC=switch, DC=slcs, O=Switch - Teleinformatikdienste
>> fuer Lehre und Forschung, CN=Christoph Witzig 8CA3021D
>>
>> Quote from the CP/CPS:
>>
>> For the distinguished name the following relative distinguished names
>> (RDN) are required: DC, CN and either O or OU.
>> The distinguished name shall start with the following RDNs:
>> /DC=ch/DC=switch/DC=slcs.
>> The organization RDN (O) contains the name of the institution operating
>> the Identity Provider as registered in the Commercial Registry Office or
>> used in an official document, such as cantonal law, e.g. ‘Switch -
>> Teleinformatikdienste fuer Lehre und Forschung’.
>> If the identity provider of the requester is the virtual home
>> organization, the O RDN is not present and the OU RDN is set to
>> ‘SWITCHaai Virtual Home Organization’.
>> The common name (CN) is constructed based on the attributes of the user
>> as provided by his/her Identity Provider: CN=’givenname surname 
>> uniqueInt’.
>> Givenname and surname are the corresponding attributes of the user. The
>> attribute definitions of SWITCHaai are derived from the eduPerson schema
>> and are described in the attribute specification document available at
>> http://www.switch.ch/aai/documents.
>> The uniqueInt is an immutable unique integer in hexadecimal format,
>> generated out of the requester’s attributes as provided by the Identity
>> Provider. The uniqueness of the uniqueInt, and therefore of the DN, is
>> guaranteed by the SWITCHaai attribute UniqueID, which identifies an
>> individual uniquely within the SWITCHaai federation.
>> If the optional subjectAltName extension is present, then it must
>> contain an rfc822Name entry carrying the “e-mail” attribute of the user
>> as provided by his/her Identity Provider
>>
>> Cheers
>>
>> Christoph
>>
>> ---------  SWITCH - The Swiss Education & Research Network  -------
>> Christoph Witzig         Security           http://www.switch.ch/
>> SWITCH, Neumuehlequai 6, P.O. Box,  CH-8021   Zurich, Switzerland
>> E-mail: witzig at switch.ch P: +41 44 268 15 66  F: +41 44 268 15 68
>>
>>
>> _______________________________________________
>> ogsa-authn-bof mailing list
>> ogsa-authn-bof at ogf.org
>> http://www.ogf.org/mailman/listinfo/ogsa-authn-bof
>>
>


-- 
-------  SWITCH - The Swiss Education & Research Network  -------
Christoph Witzig         Security           http://www.switch.ch/
SWITCH, Neumuehlequai 6, P.O. Box,  CH-8021   Zurich, Switzerland
E-mail: witzig at switch.ch P: +41 44 268 15 66  F: +41 44 268 15 68

More information about the ogsa-authn-bof mailing list