Shibboleth Developers

["Tom Scavo" <>]

On 9/11/06, Scott Cantor 
<>
 wrote:
> There's no need to play games like this in something like GridShib...

The lowest common denominator in the various GridShib use cases is the
attribute assertion.  Let me give a typical use case:

A principal authenticates to a community gateway using campus
credentials. First the gateway queries the campus Shib AA for
attributes on behalf of the principal. The Shib AA responds with an
assertion containing a single AttributeStatement. Next the gateway
issues a SAML attribute query to a local SAML AA on behalf of the
principal. Likewise the SAML AA responds with an assertion containing
a single AttributeStatement. Using its community credential, the
gateway binds the two SAML assertions to a proxy certificate. The
gateway uses this proxy to request a grid service on behalf of the
principal.

What we want to do here is capture the authn context associated with
the campus login.  The grid service has policy with respect to campus
authn.  It needs to know how that authentication took place.

If the gateway queries for attributes, all it has access to is an
attribute assertion.  If the authn context were embedded in the
attribute assertion (which makes conceptual sense since that context
is to be used for access control) then all is well.  Today, the best
we can hope for is to *require* Shib attribute push or artifact, in
which case the authn assertion is exposed, but we'd rather not require
such a workaround.

Tom