shibboleth-dev - gridshib callout
Subject: Shibboleth Developers
List archive
- From: Tim Freeman <>
- To:
- Subject: gridshib callout
- Date: Mon, 21 Mar 2005 17:13:37 -0600
Hi,
I said I would write with an overview of the grid container <-> AA exchange,
both to solicit comments/suggestions and for information sharing.
Here are two links about the hosting environment if you are curious, both
are to documentation in progress.
http://www-unix.globus.org/toolkit/docs/development/4.0-drafts/common/javawscore/JavaWSCoreFacts.html
http://www-unix.globus.org/toolkit/docs/development/4.0-drafts/security/
I've attached a WSDL document that is a shortcut and not the whole story;
from the rest, about all you'd note is that this is doc/literal SOAP.
Java stubs are generated from WSDL and the request is constructed with those
classes and the container handles the wire security.
I've attached an example request/response from the callout.
Note:
1) The SOAP header of the request contains WS-Addressing elements.
2) The two AttributeDesignator elements that are in the gridshib-profile-05
document are not present, but that is not because they cannot be.
3) The name identifier used is rigged for now, obtained from a browser
sign-on and read into the service. This is just for now, for testing.
We had two issues calling out to a 1.2.1 AA from the container.
=====
1) Shibboleth AA's relax the SAML xsd (target namespace is
urn:oasis:names:tc:SAML:1.0:assertion) to work around a Xerces-C bug.
From shibboleth.xsd:
<!--
Relaxes SAML AttributeValue type definition. Xerces-C has a bug that
prevents
anyAttribute content appearing on anyType. It works in 2.2 but not in
later versions.
-->
<complexType name="AttributeValueType" mixed="true">
<annotation>
<documentation xml:lang="en">
By convention, all Shibboleth 1.1 origin attribute
values carry this unconstrained xsi:type.
</documentation>
</annotation>
<complexContent>
<extension base="anyType"/>
</complexContent>
</complexType>
I worked the shibboleth namespace into the SAML schema we use to generate
the stubs and that fixes it.
Converted:
<element name="AttributeValue" type="anyType"/>
to
<element name="AttributeValue" type="shib:AttributeValueType"/>
... in the schemas used to generated the stubs (and import the
namepsace/xsd).
On the call it was mentioned that this may not be a problem for requests to
a 1.3 IdP.
=====
2) The wsdl2Java classes do not generate the proper bindings for xsd:choice.
The sequence will always be what we will use, so xsd:choice can be removed
w/o schema validation problems.
This is the schema element, note <choice> and the fact that
SubjectConfirmation is used as an element name in each of the options.
<complexType name="SubjectType">
<choice>
<sequence>
<element ref="saml:NameIdentifier"/>
<element ref="saml:SubjectConfirmation"
minOccurs="0"/>
</sequence>
<element ref="saml:SubjectConfirmation"/>
</choice>
</complexType>
The tooling unfortunately generates SubjectConfirmation2 instead of
SubjectConfirmation.
If we eliminate choice and always use the sequence like so:
<complexType name="SubjectType">
<sequence>
<element ref="saml:NameIdentifier"/>
<element ref="saml:SubjectConfirmation"
minOccurs="0"/>
</sequence>
</complexType>
.... then it works.
This is an axis tooling bug and it will eventually be fixed. It would be
possible to work around this, but I don't see the need to for now.
=====
Both of these workarounds are not long term solutions for full SAML
compliance, but we can move ahead with this portion.
Advice or comments welcome.
Thankyou to those who took the time on the phone,
Tim
(for GridShib)
Attachment:
saml_attr_port_type.wsdl
Description: Binary data
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"> <soapenv:Header> <wsa:MessageID soapenv:mustUnderstand="0">uuid:527f57e0-968e-11d9-a66a-a6aa43fa32cc</wsa:MessageID> <wsa:To soapenv:mustUnderstand="0">https://****.org:443/shibboleth/AA</wsa:To> <wsa:Action soapenv:mustUnderstand="0">http://wsrf.globus.org/namespaces/2005/03/samlAttributeRequest/SAMLAttributeRequestPortType/SAMLAttributeRequestRequest</wsa:Action> <wsa:From soapenv:mustUnderstand="0"> <wsa:Address>http://schemas.xmlsoap.org/ws/2004/03/addressing/role/anonymous</wsa:Address> </wsa:From> </soapenv:Header> <soapenv:Body> <Request IssueInstant="2005-03-17T02:43:19.245Z" MajorVersion="1" MinorVersion="0" RequestID="_e72ce2713c8c7cda0a9b282bdf75f6b2" xmlns="urn:oasis:names:tc:SAML:1.0:protocol"> <AttributeQuery Resource="https://****.org/shibboleth/target"> <ns1:Subject xmlns:ns1="urn:oasis:names:tc:SAML:1.0:assertion"> <ns1:NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="https://****.org/shibboleth/origin">d47f4e31-40e4-4db3-89ad-d33f00fdce74</ns1:NameIdentifier> </ns1:Subject> </AttributeQuery> </Request> </soapenv:Body> </soapenv:Envelope> <?xml version="1.0" encoding="UTF-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soap:Body> <Response InResponseTo="_e72ce2713c8c7cda0a9b282bdf75f6b2" IssueInstant="2005-03-17T02:43:20.051Z" MajorVersion="1" MinorVersion="1" ResponseID="d7f63899fa93c4099939c131365d8620" xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"> <Status> <StatusCode Value="samlp:Success"/> </Status> <Assertion AssertionID="c1cbd5ca84918f33e7dbf5afb52f9062" IssueInstant="2005-03-17T02:43:20.051Z" Issuer="https://****.org/shibboleth/origin" MajorVersion="1" MinorVersion="1" xmlns="urn:oasis:names:tc:SAML:1.0:assertion"> <Conditions NotBefore="2005-03-17T02:43:20.050Z" NotOnOrAfter="2005-03-17T03:13:20.050Z"> <AudienceRestrictionCondition> <Audience>https://****.org/shibboleth/target</Audience> </AudienceRestrictionCondition> </Conditions> <AttributeStatement> <Subject> <NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="https://****.org/shibboleth/origin">d47f4e31-40e4-4db3-89ad-d33f00fdce74</NameIdentifier> </Subject> <Attribute AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri" xmlns:typens="urn:mace:shibboleth:1.0"> <AttributeValue xsi:type="typens:AttributeValueType">member</AttributeValue> </Attribute> </AttributeStatement> </Assertion> </Response> </soap:Body> </soap:Envelope>
- gridshib callout, Tim Freeman, 03/21/2005
Archive powered by MHonArc 2.6.16.