Skip to Content.
Sympa Menu

shibboleth-dev - SHIB design call, monday (12/8), 3:00 pm edt, noon pdt

Subject: Shibboleth Developers

List archive

SHIB design call, monday (12/8), 3:00 pm edt, noon pdt


Chronological Thread 
  • From:
  • To:
  • Subject: SHIB design call, monday (12/8), 3:00 pm edt, noon pdt
  • Date: Mon, 8 Dec 2003 11:07:25 -0500

Phone #: (800) 541-1710
Pin #: 0142203

Agenda:

1) Current programming issues/questions

-- as needed

2) Begin discussion of the Grid scenarios; there's obviously some overlap with the non-browser profiles we've been discussing.

Here's a rough cut from Von, beginning to lay out the Grid-Shib use cases:

Model 1, basic pull model: Client authenticates to resource using PKI
(EEC or X.509 Proxy Certificate). Resource contacts AA (possibly
authenticating using it's own credential) and provides identity of
client along with list of attributes it's interested in. AA consults
ARP and provides allowed SAML attr assertions to resource.

Open issues: WAYF - how does resource know which AA to contact without
interactive user on other end of conneciton?

Pros: Doesn't require handling of assertions on client.

Model 2, base push model: Client authenticates to AA using PKI (again
EEC or PC). Requests list of attributes (and target resources?). AA
provides signed SAML assertions of attributes bound to client PKI
identity. Client authenticates to resource and presents SAML
assertions.

Open issues: How does ARP fit in? Does release policy shift to user?
Is user sole source of release policy? How does user manage attr
assertions and their release? What is lifetime of assertions?

Pros: Solves WAFY, allows easy use of multiple AAs as user can collect
assertions from a number.

Issues with both models: specification of X.509 "identity" in Shib -
is it DN, EEC, Proxy Cert, whole chain?

--


  • SHIB design call, monday (12/8), 3:00 pm edt, noon pdt, Steven_Carmody, 12/08/2003

Archive powered by MHonArc 2.6.16.

Top of Page