Shibboleth Developers

["Scott Cantor" <>]

> 1) A MyProxy Client, on behalf of the Grid User, sends a MyProxy
> Protocol request to the MyProxy Server.  The Grid User's
> authentication credentials (username/password) are included with the
> request.

What does this protocol consist of? Presumably this flow works as long as
the user's security domain stands up the MyProxy service, so I just wonder
if it isn't better to do what I originally suggested, use a SAML assertion
issued by the IdP to authenticate to the MyProxy service. That of course
also gets you a subject identifier for the cert that will be valid at the
AA.

Of course, if attaching an assertion to that protocol is hard, then I guess
that's a problem.

> 6) The SP validates the X.509 certificate and POSTs a SAML SOAP
> message to the Attribute Authority (AA) at the IdP.  The SAML Subject
> in the AttributeQuery includes the <saml:NameIdentifier> element from
> the certificate.

One thing to note here...this all works more or less fine but *only* because
we actually have a bit of a long-standing bug in that we don't really issue
transient IDs to specific SPs. So there's no SP check made when a query
comes in. Really there should be. At that point, you have a problem, but you
could simply define this NameID as some other format that shouldn't have
per-SP semantics.

Anything you stick in a cert is a correlation handle, so it really shouldn't
be a Shib or SAML 2.0 transient NameID.

> Steps 2 and 3 are most interesting.  We're still working out the
> details but it's not clear a heavyweight SOAP protocol is warranted. 
> Suggestions?

Mainly whether it's possible or desirable at all to reverse that flow so
that authentication to the IdP is more direct and the user's credentials get
federated to MyProxy using SAML. Also removes the need for a callback there.

-- Scott