Shibboleth Developers

[Von Welch <>]

Scott,

 I think you've got it, though I don't understand why you think it  
only makes sense if the CA and IdP are in separate domains. From my  
perspective bridging mechanisms has the same impact here as domains.

Von


On Oct 4, 2005, at 5:12 PM, Scott Cantor wrote:

> > What we (gridshib) are wrestling with is if we introduce a third
> > space and another bridge, how do we manage the two bridges such they
> > they work coherently. It seems some sort of communication is
> > necessary, either directly via some shared state between the IdP and
> > MyProxy, or via some information transmitted through the issued X509
> > credentials (e.g. something in an extension the grid service uses in
> > the SAML request). I think we understand the latter, I'm exploring
> > the former.
>
> Ok, I get that, I think. Is your thought that the user would  
> authenticate to
> the My-Proxy component using a SAML bearer assertion that it gets from
> interacting with a SAML SSO service?
>
> Something like:
>
> 1 Grid Client authenticates to SSO service (means unspecified)
>
> 2 SSO issues grid client a bearer assertion targeted at CA
>
> 3 Grid Client presents assertion to CA
>
> 4 CA issues grid client a certificate (not sure how this works or  
> where the
> private key is here), cert subject contains subject from assertion
>
> 5 Grid Client authns to Grid Service with cert
>
> 6 Grid Service optionally uses subject of cert to query AA
>
> This only makes sense if the domain of the CA is in fact not the  
> domain of
> the IdP, so I think the domains of administration are highly relevant.
>
> Or I'm just not getting it from the diagram, which isn't unusual  
> for me.
>
> -- Scott