Shibboleth Developers

[Tom Scavo <>]

On 10/10/05, Scott Cantor 
<>
 wrote:
>
> I just think this is all a bad fit. I think the SAML authority should be
> issuing the certificates. Nothing else makes a great deal of sense to me.

Yeah, I agree it's getting ugly and so we retrenched and came up with
a new profile for a constrained set of users, namely, potential grid
users who do not possess an X.509 EEC.  Now that MyProxy includes an
online CA, we can generate short-lived X.509 credentials for these
users on the fly.  This gives rise to the following profile variant:

1) A MyProxy Client, on behalf of the Grid User, sends a MyProxy
Protocol request to the MyProxy Server.  The Grid User's
authentication credentials (username/password) are included with the
request.
2) The MyProxy Server issues an HTTP request against a custom IdP
protocol handler protected by BASIC authentication.  The request
includes the time-to-live (TTL) of the requested certificate.  The
username/password are included in the header of the HTTP request (in
accordance with the BASIC authentication protocol).
3) The IdP validates the username/password in the request, creates and
registers a ShibHandle, and returns a <saml:NameIdentifier> element to
the MyProxy Server.  The TTL of the ShibHandle matches the TTL of the
proxy certificate.
4) The MyProxy Server creates a short-lived X.509 certificate for the
user, inserts the <saml:NameIdentifier> element into a certificate
extension, and returns the certificate to the MyProxy Client.
5) A Grid Client, on behalf of the Grid User, POSTs a SOAP request to
the SP, authenticating with the short-lived X.509 credential.
6) The SP validates the X.509 certificate and POSTs a SAML SOAP
message to the Attribute Authority (AA) at the IdP.  The SAML Subject
in the AttributeQuery includes the <saml:NameIdentifier> element from
the certificate.
7) The AA returns an attribute assertion to the SP.
8) The SP performs the requested operation and returns a response to
the Grid Client.

Steps 2 and 3 are most interesting.  We're still working out the
details but it's not clear a heavyweight SOAP protocol is warranted. 
Suggestions?

Thanks,
Tom