Shibboleth Developers

Phone #:  (800) 541-1710
Pin #:  0142203

Agenda:

1) Current programming issues/questions

        -- as needed

2) Begin discussion of the Grid scenarios; there's obviously some 
overlap with the non-browser profiles we've been discussing.

Here's a rough cut from Von, beginning to lay out the Grid-Shib use cases:

Model 1, basic pull model: Client authenticates to resource using PKI
(EEC or X.509 Proxy Certificate). Resource contacts AA (possibly
authenticating using it's own credential) and provides identity of
client along with list of attributes it's interested in. AA consults
ARP and provides allowed SAML attr assertions to resource.

Open issues: WAYF - how does resource know which AA to contact without
interactive user on other end of conneciton?

Pros: Doesn't require handling of assertions on client.

Model 2, base push model: Client authenticates to AA using PKI (again
EEC or PC). Requests list of attributes (and target resources?). AA
provides signed SAML assertions of attributes bound to client PKI
identity. Client authenticates to resource and presents SAML
assertions.

Open issues: How does ARP fit in? Does release policy shift to user?
Is user sole source of release policy? How does user manage attr
assertions and their release? What is lifetime of assertions?

Pros: Solves WAFY, allows easy use of multiple AAs as user can collect
assertions from a number.

Issues with both models: specification of X.509 "identity" in Shib -
is it DN, EEC, Proxy Cert, whole chain?

--