[OGSA-AUTHZ] Comments: Use of SAML to Retrieve Authorization Credentials
Tom Scavo
trscavo at gmail.com
Tue Sep 16 11:29:06 CDT 2008
On Tue, Sep 16, 2008 at 11:39 AM, David Chadwick
<d.w.chadwick at kent.ac.uk> wrote:
>
> Tom Scavo wrote:
>>
>> If the user possesses a
>> username/password only, how does one obtain a trusted proxy
>> certificate (with bound SAML token)? I don't know the best answer to
>> that question, so I'll leave it open for now.
>
> The answer is, he does not need to, if the SAML tokens are signed by the
> trusted AA.
>
> If you use Attribute Based Access Controls, then the identifier of the user
> (ie. the DN from the proxy cert) is irrelevant. All you need are the valid
> attributes of the user that can be used in the authz decision making. You
> have these from the signed SAML assertions, which state that the holder of
> key Z has the following attributes. The CVS will happily validate these SAML
> attribute assertions against its policy rules for who are trusted AAs (using
> the OGSA-Auth WSTrust profile). You can in fact include multiple SAML
> assertions from multiple IDPs in the X.509 proxy if you want to (and copy
> these into the WS-Trust message). The GT4 PEP knows that the user is the
> holder of the key that issued the proxy certificate, so the attributes
> belong to him. You can even use a self signed EE certificate if you want to,
> since it is possession of the private key that is important, not trust in
> the DN. And you can get the user to sign the request message to GT4 if
> signing of the certificate is not sufficient for you. So forget about having
> a trusted DN, its irrelevant in ABAC. (This is another good reason for
> moving on from gridmap files :-)
Here, here! :-)
Thanks for letting me explain all that, David.
Tom
More information about the ogsa-authz-wg
mailing list