Shibboleth Developers

[Brent Putman <>]

Tom Scavo wrote:

> On 10/13/05, Tom Scavo 
> <>
>  wrote:
>  
>
> > On 10/13/05, Scott Cantor 
> > <>
> >  wrote:
> >
> >    
> >
> > > I just wonder
> > > if it isn't better to do what I originally suggested, use a SAML assertion
> > > issued by the IdP to authenticate to the MyProxy service. That of course
> > > also gets you a subject identifier for the cert that will be valid at the
> > > AA.
> > >      
> > Excellent idea!  I'll look at that more closely and see what the issues are.
> >    
>
> I've gone over this thread numerous times but unfortunately I have
> absolutely no idea how to implement this step:
>
>  
>
> > 1 Grid Client authenticates to SSO service (means unspecified)
> >    
>
> Certainly you don't mean the current SSO service, which as we all know
> is geared towards browser users.  I just don't know how a command-line
> MyProxy Client can obtain a SAML authN assertion, from an existing
> Shib component or otherwise.
>
>  


I think what Scott proposed, and what you are looking for, is very 
similar to what Chad presented at GridWorld/GGF last week.  In a 
nutshell it involves using SAML 2.0 AuthnRequest and 
RequestedAuthnContext.  See Chad's slides available here:

http://www.ggf.org/GGF15/ggf_events_schedule_UserManagement.htm

We will probably be implementing something very similar for another 
non-Grid fat client-server oriented project (Sentinel)  - yes, by 
non-spec-compliant backporting it to Shib 1.3 (that is, not compliant to 
SAML 1.1), and implementing an IdP handler which can process the 
AuthnRequest for various cred types (username/password, client cert, 
biometrics, etc) and issue an authentication assertion.

I actually think his proposal is very relevant to this entire thread.  
Chad is out and about today, but I'm sure he'll comment further when he 
gets a chance.