Shibboleth Developers

["RL 'Bob' Morgan" <>]

On Tue, 4 Oct 2005, Von Welch wrote:

> This is complicated enough it might take a phone call, but let me take a 
> run at it...

I think what it may need is a picture, as well as an enumeration of the 
players, which seem to be at least:

  Shib IdP instance
  MyProxy instance
  user, with client(s)
  grid service(s)

In the general case all the services are under distinct administrations, 
hence protocol interactions have to handle conveying 
trust/authentication/etc info among all of them.  Dunno if that's the 
scenario you're thinking about.  But discussions where the players are 
labeled as "I" and "you" or "local" and "remote" don't seem to end well, 
in my experience.

> Increasingly with Grid services we're seeing the need to couple them 
> with existing authentication services, in essence creating *-to-X509 
> translators. For example, we now have an online CA (MyProxy) that offers 
> both PAM and SASL authentication mechanisms, allowing a deployment to 
> use an existing LDAP, Kerberos (either password or TGT), Radius, or 
> other (those are just the ones we've tested) authentication service to 
> generate X509 credentials for their users.

As you're probably aware, there's an industry trend to label these kinds 
of things as "security token services" ...

 - RL "Bob"