shibboleth-dev - authentication authority
Subject: Shibboleth Developers
List archive
- From: Tom Scavo <>
- To: Shibboleth Development <>
- Subject: authentication authority
- Date: Thu, 29 Sep 2005 20:41:59 -0400
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=aaPYtQJVSULkSZbinghASPv3bSkVI9kUnkTW2vzjgFlWG6cyb6FIU4C6h1drSfCLchuH/0M9WfeyBL/ekSSlQYj6LNKDH+Gasnem2T41zUpw1WHEKjqY/oWc+WQMCfAb2+8phaQl1wIngjFEn2bJNLZv1CRy01s/KPwDFRGWPYg=
The Shib spec holds out the possibility of an authentication authority
that responds to AuthenticationQuery requests. We may have a use case
for AuthenticationQuery.
Suppose we integrate MyProxy, an online credentials repository and CA,
with a Shib IdP:
http://grid.ncsa.uiuc.edu/myproxy/
When a (non-browser) grid client requests a proxy certificate, MyProxy
registers the DN with the Shib authentication authority (with TTL
equal to that of the proxy cert). Later, when the grid client
authenticates to the grid SP, an AuthenticationQuery with an
X509SubjectName identifier is issued to the authentication authority.
In response, the grid SP receives an authentication assertion. In
addition, the authentication authority pushes an attribute assertion
in the response. (Alternatively, the grid SP could make a separate
request for attributes at a later time.)
Thoughts?
Thanks,
Tom
- authentication authority, Tom Scavo, 09/29/2005
- RE: authentication authority, Scott Cantor, 09/30/2005
- Re: authentication authority, Tom Scavo, 09/30/2005
- RE: authentication authority, Scott Cantor, 09/30/2005
Archive powered by MHonArc 2.6.16.