Shibboleth Developers

[Tom Scavo <>]

On 10/13/05, Scott Cantor 
<>
 wrote:
> > 1) A MyProxy Client, on behalf of the Grid User, sends a MyProxy
> > Protocol request to the MyProxy Server.  The Grid User's
> > authentication credentials (username/password) are included with the
> > request.
>
> What does this protocol consist of?

You don't want to know... ;-)

> I just wonder
> if it isn't better to do what I originally suggested, use a SAML assertion
> issued by the IdP to authenticate to the MyProxy service. That of course
> also gets you a subject identifier for the cert that will be valid at the
> AA.

Excellent idea!  I'll look at that more closely and see what the issues are.

> One thing to note here...this all works more or less fine but *only* because
> we actually have a bit of a long-standing bug in that we don't really issue
> transient IDs to specific SPs. So there's no SP check made when a query
> comes in. Really there should be.

Good point.  This anticipates a question Tom Barton had on the
GridShib call today.  Thanks for mentioning this.

Scott, your comments and suggestions continue to be invaluable. 
Thanks for taking the time.

Tom