Skip to Content.
Sympa Menu

shibboleth-dev - Re: Fwd: More detailed Grid scenarios

Subject: Shibboleth Developers

List archive

Re: Fwd: More detailed Grid scenarios


Chronological Thread 
  • From: "David L. Wasley" <>
  • To: Von Welch <>
  • Cc:
  • Subject: Re: Fwd: More detailed Grid scenarios
  • Date: Thu, 15 Jan 2004 10:33:20 -0800

Von, I'm going to offer a somewhat different GRID user scenario. I am going to assume that "anonymity" is not desired or required for GRID services (although "privacy" might be but that's a different issue). Therefore, through some administrative process run by the VO, a given individual establishes eligibility to use GRID resources. Finally, I will assume that the user's HO (e.g. campus) is Shib enabled and therefore supports EPPN and that this EPPN is what identifies the user in the GRID domain.

----------------

* User (+) goes to the GRID target service or service "portal". GRID determines what the user's Home Organization (HO) is via WAYF or equivalent.

* Target service or portal redirects user to HO's HS which is where authentication is confirmed and a token (handle) is returned to the GRID. This is not needed for "privacy" - this is merely how Shib works.

* GRID target service or portal contacts the AA over a SSL
protected channel. Local, trusted copy of certificate of Shib AA is
used to verify that the correct AA is being communicated with. Target
service performs mutual authentication with shib AA using it's own
certificate & private key.

* Target service presents user's handle and requests user's EPPN. It might also want to receive other attributes but this could be done in a later query.

* Shib AA consults ARPs to determine target service's right to access
attributes for user. Delivers EPPN and possibly a list of attributes to target service over SSL-encrypted link.

* GRID target service or portal uses EPPN along with perhaps other attributes and local policy to make access control decisions.


(+) A process running on the user's behalf with delegated credentials from the user would already have the EPPN. All it would need to do is also know the HO AA's URI and present a valid server cert plus the user's EPPN to that AA.

----------------------

This is basically "borrowing" the HO's authentication system to establish the validity of an EPPN at the time a user approaches a GRID resource. Once there, the user might queue a job to run at a later date but the EPPN and other information is already validated so the resource(s) at that time can make a simple query to the AA.

What do you think?

David




Archive powered by MHonArc 2.6.16.

Top of Page