shibboleth-dev - Re: authentication authority
Subject: Shibboleth Developers
List archive
- From: Von Welch <>
- To:
- Subject: Re: authentication authority
- Date: Tue, 4 Oct 2005 16:54:01 -0500
Bob,
Reasonable suggestion. See attached PDF.
I've indicated what I see as three "spaces" in the diagram - these spaces correspond to particular mechanisms and name formats, with various services serving to bridge the spaces. I don't indicate any administrative domains as I don't think they are relevant.
In the stock shibboleth picture, there would be just two spaces (local authn/username, and SAML/Handle) with the Idp bridging in both directions.
What we (gridshib) are wrestling with is if we introduce a third space and another bridge, how do we manage the two bridges such they they work coherently. It seems some sort of communication is necessary, either directly via some shared state between the IdP and MyProxy, or via some information transmitted through the issued X509 credentials (e.g. something in an extension the grid service uses in the SAML request). I think we understand the latter, I'm exploring the former.
Von
Attachment:
shib-myproxy.pdf
Description: Adobe PDF document
On Oct 4, 2005, at 3:52 PM, RL 'Bob' Morgan wrote:
On Tue, 4 Oct 2005, Von Welch wrote:
This is complicated enough it might take a phone call, but let me take a run at it...
I think what it may need is a picture, as well as an enumeration of the players, which seem to be at least:
Shib IdP instance
MyProxy instance
user, with client(s)
grid service(s)
In the general case all the services are under distinct administrations, hence protocol interactions have to handle conveying trust/authentication/etc info among all of them. Dunno if that's the scenario you're thinking about. But discussions where the players are labeled as "I" and "you" or "local" and "remote" don't seem to end well, in my experience.
Increasingly with Grid services we're seeing the need to couple them with existing authentication services, in essence creating *- to-X509 translators. For example, we now have an online CA (MyProxy) that offers both PAM and SASL authentication mechanisms, allowing a deployment to use an existing LDAP, Kerberos (either password or TGT), Radius, or other (those are just the ones we've tested) authentication service to generate X509 credentials for their users.
As you're probably aware, there's an industry trend to label these kinds of things as "security token services" ...
- RL "Bob"
- Re: authentication authority, Von Welch, 10/04/2005
- RE: authentication authority, Scott Cantor, 10/04/2005
- Re: authentication authority, Von Welch, 10/04/2005
- RE: authentication authority, Scott Cantor, 10/04/2005
- Re: authentication authority, Von Welch, 10/04/2005
- Re: authentication authority, RL 'Bob' Morgan, 10/04/2005
- Re: authentication authority, Von Welch, 10/04/2005
- RE: authentication authority, Scott Cantor, 10/04/2005
- Re: authentication authority, Tom Scavo, 10/05/2005
- RE: authentication authority, Scott Cantor, 10/06/2005
- Re: authentication authority, Von Welch, 10/07/2005
- RE: authentication authority, Scott Cantor, 10/07/2005
- Re: authentication authority, Chad La Joie, 10/07/2005
- Re: authentication authority, Von Welch, 10/09/2005
- Re: authentication authority, Von Welch, 10/07/2005
- Re: authentication authority, Tom Scavo, 10/08/2005
- Re: authentication authority, Scott Cantor, 10/08/2005
- Re: authentication authority, Tom Scavo, 10/10/2005
- RE: authentication authority, Scott Cantor, 10/06/2005
- Re: authentication authority, Tom Scavo, 10/05/2005
- RE: authentication authority, Scott Cantor, 10/04/2005
- Re: authentication authority, Von Welch, 10/04/2005
- RE: authentication authority, Scott Cantor, 10/04/2005
Archive powered by MHonArc 2.6.16.