Shibboleth Developers

[Tom Scavo <>]

This is a followup to Von's post from last Jan 18th:

https://mail.internet2.edu/wws/arc/shibboleth-dev/2005-01/msg00039.html

The GridShib team has developed a new version of the GridShib profile.
 Briefly, the profile consists of four steps:

1) The Grid Client POSTs a SOAP request to the Grid Service.
2) The Grid Service POSTs a SAML SOAP message to the AA at the IdP.
3) The AA returns an attribute assertion to the Grid Service.
4) The Grid Service performs the requested operation and returns a
response to the Grid Client.

A more detailed write-up of the profile is attached.  Of course we are
interested in any feedback you might have.

An unanswered question is the mapping from NameIdentifier to Principal
required at step 3.  Unfortunately, the Shibboleth class
X509SubjectNameNameIdentifierMapping will not work for us since X.509
certs issued to grid users do not generally have such nice,
predictable DNs.

Also, SAML 2.0 metadata doesn't seem to handle the case of a
standalone attribute requester very well.  You'll notice from the
supplied metadata examples that a <md:AttributeConsumingService>
element is nested inside an <md:SPSSODescriptor> element, which is
conceptually incorrect in the case of the above GridShib profile. 
Moreover, the <md:SPSSODescriptor> element MUST contain at least one
<md:AssertionConsumerService> element, which is also a problem for us.
 As far as I can tell, we will have to include a dummy
<md:AssertionConsumerService> element as a placeholder.

Finally, it would be highly desirable if multiple
<md:AttributeConsumingService> elements could be defined.  However,
AFAIK the index attribute of this metadata element is ignored by a
SAML 1.x metadata implementation.  Is this correct?

Any advice you have will be appreciated.

Thanks,
Tom Scavo
GridShib
GridShib Profile [gridshib-profile-05]

PRECONDITIONS

+ The Grid User and the Grid Service each possess an X.509 credential.
+ The Grid User is enrolled with a Shibboleth Identity Provider (IdP).
+ The IdP is able to map the Grid User's X.509 Subject DN to one and only one 
user in its security domain.
+ The IdP and the Grid Service each have been assigned a unique identifier 
called a providerId.
+ The Grid Client application has access to the Grid User's X.509 certificate 
and the IdP providerId.
+ The Grid Service and the IdP rely on the same metadata format and exchange 
this metadata out-of-band.

OVERVIEW

This GridShib profile consists of four steps:

1) The Grid Client POSTs a SOAP request to the Grid Service.
2) The Grid Service POSTs a SAML SOAP message to the AA at the IdP.
3) The AA returns an attribute assertion to the Grid Service.
4) The Grid Service performs the requested operation and returns a response 
to the Grid Client.

PROFILE

1) The Grid Client POSTs a SOAP request to the Grid Service.  Accompanying 
the request is the following information:

  + The providerId of the Grid Client's IdP
  + The X.509 Subject DN of the client cert

2) The Grid Service validates the request and POSTs a SAML SOAP request to 
the attribute authority (AA) at the IdP:

POST /shibboleth/AA/SOAP HTTP/1.1
Host: idp.org
Content-Type: text/xml
Content-Length: nnn
SOAPAction: http://www.oasis-open.org/committees/security

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope
  xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";>
  <SOAP-ENV:Header/>
  <SOAP-ENV:Body>
    <samlp:Request
      xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
      xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
      MajorVersion="1" MinorVersion="1"
      IssueInstant="2004-12-05T09:22:04Z" 
      RequestID="aaf23196-1773-2113-474a-fe114412ab72">
      <samlp:AttributeQuery 
        Resource="https://gs.org/shibboleth";>  <!-- Grid Service providerId 
-->
        <saml:Subject>
          <saml:NameIdentifier
            Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
            NameQualifier="https://idp.org/shibboleth";>  <!-- IdP providerId 
-->
            <!-- insert X.509 Subject DN here -->
          </saml:NameIdentifier>
        </saml:Subject>
        <saml:AttributeDesignator 
          
AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
          AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"
        </saml:AttributeDesignator>
        <saml:AttributeDesignator 
          AttributeName="urn:mace:dir:attribute-def:eduPersonEntitlement"
          AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"
        </saml:AttributeDesignator>
      </samlp:AttributeQuery>
    </samlp:Request>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

The following conditions on the <samlp:AttributeQuery> element MUST be 
satisfied:

  + The value of the Resource attribute of the <samlp:AttributeQuery> element 
is the providerId of the Grid Service.
  + The value of the Format attribute of the <saml:NameIdentifier> element is 
the standard SAML URI 
"urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName".
  + The value of the NameQualifier attribute of the <saml:NameIdentifier> 
element is the providerId of the Grid Client's IdP at step 1.
  + The value of the <saml:Subject> element is the X.509 Subject DN (suitably 
encoded) associated with the Grid Client at step 1.

The requested attributes (eduPersonScopedAffiliation and 
eduPersonEntitlement) are for illustration only.  Alternatively, the required 
attributes may be specified in Grid Service metadata as shown below.

3) The AA at the IdP processes the request, formulates an attribute assertion 
and returns the attributes to the Grid Service:

HTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: nnnn

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope
  xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";>
  <SOAP-ENV:Header/>
  <SOAP-ENV:Body>
    <samlp:Response
      xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
      InResponseTo="aaf23196-1773-2113-474a-fe114412ab72"
      IssueInstant="2004-12-05T09:22:05Z" 
      MajorVersion="1" MinorVersion="1"
      ResponseID="b07b804c-7c29-ea16-7300-4f3d6f7928ac">
      <samlp:Status>
        <samlp:StatusCode Value="samlp:Success"/>
      </samlp:Status>
      <saml:Assertion 
        xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
        xmlns:xsd="http://www.w3.org/2001/XMLSchema";
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
        MajorVersion="1" MinorVersion="1"
        AssertionID="a144e8f3-adad-594a-9649-924517abe933"
        IssueInstant="2004-12-05T09:22:05Z" 
        Issuer="https://idp.org/shibboleth";>  <!-- IdP providerId -->
        <saml:Conditions 
          NotBefore="2004-12-05T09:17:05Z"
          NotOnOrAfter="2004-12-05T09:52:05Z">
        </saml:Conditions>
        <saml:AttributeStatement>
          <saml:Subject>
            <saml:NameIdentifier
              
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
              NameQualifier="https://idp.org/shibboleth";>  <!-- IdP 
providerId -->
              <!-- insert X.509 Subject DN here -->
            </saml:NameIdentifier>
          </saml:Subject>
          <saml:Attribute 
            
AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
            
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
            <saml:AttributeValue Scope="idp.org">
              member
            </saml:AttributeValue>
            <saml:AttributeValue Scope="idp.org">
              faculty
            </saml:AttributeValue>
          </saml:Attribute>
          <saml:Attribute 
            AttributeName="urn:mace:dir:attribute-def:eduPersonEntitlement"
            
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
            <saml:AttributeValue xsi:type="xsd:anyURI">
              https://gs.org/entitlements/123456789
            </saml:AttributeValue>
            <saml:AttributeValue xsi:type="xsd:anyURI">
              urn:mace:incommon:entitlement:common:1
            </saml:AttributeValue>
          </saml:Attribute>
        </saml:AttributeStatement>
      </saml:Assertion>
    </samlp:Response>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

4) The Grid Service parses the attribute assertion, creates a security 
context, makes an access control decision, performs the requested operation 
and returns a response to the Grid Client.

METADATA

An example of Shibboleth Identity Provider metadata:

<md:EntityDescriptor 
  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
  entityID="https://idp.org/shibboleth";>  <!-- IdP providerId -->
  <!-- insert ds:Signature element here -->
  <!-- insert md:IDPSSODescriptor element here -->
  <md:AttributeAuthorityDescriptor
    protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo>
        <ds:KeyName>IdP AA Key</ds:KeyName>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:AttributeService
      Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
      Location="https://idp.org/shibboleth/AA/SOAP"/>
    <saml:Attribute
      Name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
      NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri">
      <saml:AttributeValue>member</saml:AttributeValue>
      <saml:AttributeValue>student</saml:AttributeValue>
      <saml:AttributeValue>faculty</saml:AttributeValue>
      <saml:AttributeValue>employee</saml:AttributeValue>
      <saml:AttributeValue>staff</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute
      Name="urn:mace:dir:attribute-def:eduPersonEntitlement"
      NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
    <md:NameIDFormat>
      urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
    </md:NameIDFormat>
  </md:AttributeAuthorityDescriptor>
  <md:Organization>
    <md:OrganizationName xml:lang="en">
      Shibboleth Identity Provider 
    </md:OrganizationName>
    <md:OrganizationDisplayName xml:lang="en">
      Shibboleth Identity Provider @ Some Location
    </md:OrganizationDisplayName>
    <md:OrganizationURL xml:lang="en">
      http://www.idp.org/
    </md:OrganizationURL>
  </md:Organization>
  <md:ContactPerson contactType="technical">
    <md:SurName>Shibboleth IdP Support</md:SurName>
    
<md:EmailAddress></md:EmailAddress>
  </md:ContactPerson>
</md:EntityDescriptor>

The following conditions on the above <md:EntityDescriptor> element MUST be 
satisfied:

  + The value of the entityID attribute of the <md:EntityDescriptor> element 
is the providerId of the IdP.
  + The value of the Binding attribute of the <md:AttributeService> element 
is "urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding".
  + The value of the Location attribute of the <md:AttributeService> element 
is used at step 2 of the profile.
  + There must be one <md:NameIDFormat> element whose value is 
"urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName".  Other 
identifiers may be supported by the IdP, that is, other <md:NameIDFormat> 
elements may be called out in metadata.

The <saml:Attribute> elements are for illustration only.  The IdP is not 
required to advertise the attributes it will supply in response to an 
attribute query.

An example of Shibbolized Grid Service metadata:

<md:EntityDescriptor 
  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
  entityID="https://gs.org/shibboleth";>
  <!-- insert ds:Signature element here -->
  <md:SPSSODescriptor
    protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo>
        <ds:KeyName>SP SSO Key</ds:KeyName>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:NameIDFormat>
      urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
    </md:NameIDFormat>
    <md:AssertionConsumerService isDefault="true" index="0"
      Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
      Location="https://sp.org/shibboleth/SSO/POST"/>
    <md:AssertionConsumerService index="1"
      Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
      Location="https://sp.org/shibboleth/SSO/Artifact"/>
    <md:AttributeConsumingService isDefault="true" index="0">
      <md:ServiceName xml:lang="en">
        Shibbolized Grid Service
      </md:ServiceName>
      <md:RequestedAttribute
        Name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
        NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri">
      </md:RequestedAttribute>
      <md:RequestedAttribute
        Name="urn:mace:dir:attribute-def:eduPersonEntitlement"
        NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri">
        <saml:AttributeValue>
          https://gs.org/entitlements/123456789
        </saml:AttributeValue>
      </md:RequestedAttribute>
    </md:AttributeConsumingService>
  </md:SPSSODescriptor>
  <md:Organization>
    <md:OrganizationName xml:lang="en">
      GridShib Service Provider
    </md:OrganizationName>
    <md:OrganizationDisplayName xml:lang="en">
      GridShib Service Provider @ Some Location
    </md:OrganizationDisplayName>
    <md:OrganizationURL xml:lang="en">
      http://www.gs.org/
    </md:OrganizationURL>
  </md:Organization>
  <md:ContactPerson contactType="technical">
    <md:SurName>GridShib Support</md:SurName>
    
<md:EmailAddress></md:EmailAddress>
  </md:ContactPerson>
</md:EntityDescriptor>

The following conditions on the above <md:EntityDescriptor> element MUST be 
satisfied:

  + The value of the entityID attribute of the <md:EntityDescriptor> element 
is the providerId of the Grid Service.
  + The value of the <md:NameIDFormat> element is 
"urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName".  No other 
<md:NameIDFormat> elements are allowed.
  + The <md:AssertionConsumerService> elements are irrelevant to GridShib but 
the SAML 2.0 metadata specification requires at least one such element.

The <md:RequestedAttribute> elements are for illustration only.  
Alternatively, the required attributes may be specified within the 
<samlp:AttributeQuery> element as shown in step 2.