[ogsa-authn-bof] SAML-Grid Name Mapping Framework

[Tom Scavo]

On 2/19/07, Nate Klingenstein <ndk at internet2.edu> wrote:
>
> ... there's a variety of additional information that can come out of
> the SAML environment that may be of interest to the grid.

Most of the authz information in X.509 certificates (whether it be
X.509 ACs or SAML attribute assertions) will not emanate from the
campus.  It originates in the Grid as VO information.

> ... another piece of information may be
> the LoA and method of the initial authentication.

Yes, if we are to leverage campus authn infrastructure, then the
complete _authentication context_ must be propagated into the grid
environment.  The bottom line is that the SAML authentication
statement issued by the campus IdP must be bound to the X.509
certificate.

> I'm trying to constrain
> the conversation to the name identifier at this point in time to make sure
> that we can focus on getting commonality there first.  Do you think that's
> reasonable?

Yes, that is the interface between the campus and the grid.  Of all
the properties we've discussed so far, the most important is the
non-reassignment of the identifier, I think.  If you can guarantee
that, the rest can (and probably should) be handled within the grid.

> > 2. a SAML Subject
> >
> > There are no less than three possibilities:
> >
> > 1. A fully formed SAML Subject might be added to the Subject Alt Name
> > extension.
> > 2. A SAML Subject might be extracted from an X.509-bound SAML assertion.
> > 3. A SAML Subject might be fabricated on the fly using the Subject DN
> > of the certificate in a NameID having Format X509SubjectName.
>
> Option #3 is interesting because it's a subject that is potentially
> different from the identifier that has been originally sent by the IdP,
> which may have been an attribute, persistentId, etc., unless we want to make
> every IdP talking to a grid gateway release a special name identifier, which
> seems to be a big challenge.  We need to assume the IdP is able to recognize
> the X509SubjectName and associate it with the right identity back at the
> IdP, which means a tighter coupling between the translation service/grid CA
> and the IdP.  I don't know if I'm comfortable with #3 for that reason.

Agreed, option #3 is the least desirable (which is why it's listed as
#3 :) but it's the only one that's profiled right now.  In some sense,
it's the "natural" approach to attribute query in grids.

> I'd add an option #4 as a programmatic mapping between an x.509 subject name
> and a SAML subject name.  That would imply a standard place in the SubjectDN
> where any given identifier and its type would be placed (e.g.
> CN=ndk at internet2.edu/urn:oid:1.3.6.1.4.1.5923.1.1.1.6 or
> CN=<opaqueAlphaNumericString>/urn:oasis:names:tc:SAML:2.0:nameid-format:persistent)
> which means the IdP can speak its own language and the grid only has to
> handle DN's.

But that is even less desirable since it only works for EECs (not
proxy certificates).  Moreover, nobody's doing that right now so you'd
have to twist some arms.

> The important thing to me is to ensure that an x.509 credential created by
> any given SAML gateway can be parsed the same way by any given grid SP to
> result with the same SAML subject.

Right, so now you're including proxy certificates (in addition to
EECs) and I agree, we need an X.509 Binding for SAML Assertions that
specifies the structure of the certificate and the processing rules
the Grid SP must follow to consume that certificate.

> Do you feel we can constrain this list of options at this point in time and
> select one that seems most reasonable?  Is the SubjectAltName already
> reserved for other purposes in some grid deployments?

I don't think that matters since Subject Alt Name is a SEQUENCE of
names.  We'd have to specify a new name with its own type-id.

> What would #1 and #2
> mean for DN-based ACL's?

Nothing.  Options #1 and #2 don't affect the DN.

Tom