[ogsa-authn-bof] SAML-Grid Name Mapping Framework
Tom Scavo
trscavo at gmail.com
Wed Feb 21 19:08:17 CST 2007
On 2/20/07, Nate Klingenstein <ndk at internet2.edu> wrote:
>
> There's a lot of different information in the SAML assertion that
> we're interested in. Much of it would be difficult to express
> natively in x.509 in the absence of a universal credential
> converter. I think it makes sense to provide as much of that
> information as possible to the grid SP or service, which probably
> means binding the SAML assertion(s) directly to the x.509 credential
> in an extension is part of a medium-term solution.
Wholeheartedly agree.
> Please see section 2.3.5 of the Liberty ID-WSF DS Specification for
> an example of what I mean by NameID/EPR pair(the nameID in that case
> is in the EPR, but can also be in the surrounding token). For
> details on how this relates to SAML, please see section 4.2.
>
> http://projectliberty.org/liberty/content/download/875/6201/file/
> liberty-idwsf-disco-svc-v2.0.pdf
Thanks for providing that link, Nate. It helps me understand where
you're coming from.
Quite honestly, I remain skeptical of ID-WSF, for various reasons.
Even if we assume that an open source implementation is forthcoming,
it's unlikely ID-WSF will ever find its way into Globus Toolkit (which
is what I mean when I say "Grid SP"). At one point I did an informal
comparison of WSRF and ID-WSF, and concluded the two were
incompatible, primarily in their use of WS-Addressing.
> The user may also float to an application with a grid SP, to which it
> still authenticates using the x.509 certificate. The grid SP
> detaches the SAML assertions and parses them. One or more of these
> assertions may in fact be ID-WSF EPR assertions, in which case the
> grid SP queries those EPR's using the associated NameID's as
> invocation identities for additional information.
Maybe. I don't think the Grid SP will learn to speak ID-WSF any time
soon (if ever). In the meantime, push will prevail. If there's any
pulling to be done, it will done by the intermediary (e.g., the
Science Gateway).
> In my hypothetical land, there's no real need to specify how anything
> is done in the x.509 cert except for requiring a unique, persistent
> DN and defining how SAML is bound to the x.509 credential.
I don't think there's any hope of specifying a single DN format
everybody can live with, but a standard for binding SAML to X.509 is
essential, yes.
Tom
More information about the ogsa-authn-bof
mailing list