Shibboleth Developers

["Scott Cantor" <>]

> What we (gridshib) are wrestling with is if we introduce a third  
> space and another bridge, how do we manage the two bridges such they  
> they work coherently. It seems some sort of communication is  
> necessary, either directly via some shared state between the IdP and  
> MyProxy, or via some information transmitted through the issued X509  
> credentials (e.g. something in an extension the grid service uses in  
> the SAML request). I think we understand the latter, I'm exploring  
> the former.

Ok, I get that, I think. Is your thought that the user would authenticate to
the My-Proxy component using a SAML bearer assertion that it gets from
interacting with a SAML SSO service?

Something like:

1 Grid Client authenticates to SSO service (means unspecified)

2 SSO issues grid client a bearer assertion targeted at CA

3 Grid Client presents assertion to CA

4 CA issues grid client a certificate (not sure how this works or where the
private key is here), cert subject contains subject from assertion

5 Grid Client authns to Grid Service with cert

6 Grid Service optionally uses subject of cert to query AA

This only makes sense if the domain of the CA is in fact not the domain of
the IdP, so I think the domains of administration are highly relevant.

Or I'm just not getting it from the diagram, which isn't unusual for me.

-- Scott