shibboleth-dev - Re: exposing assertions at the SP
Subject: Shibboleth Developers
List archive
- From: "Tom Scavo" <>
- To:
- Subject: Re: exposing assertions at the SP
- Date: Mon, 25 Sep 2006 09:44:37 -0400
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Q8Iaabd7oIjrA4sr4NK9ynGDrim9OD/eLSLFNIf27QttxDEwFo1CkdEXViLn5joJOPRpVPdoEyy6qFMcehjEvsMn0Xlu9tfR8vwjpNsvsnwn/v9z7+TlVB5v56+S8oQm99vn+7D0xacZYVjvqSHUkloY7N37wgo3cHeVGM5wTAY=
On 9/24/06, Scott Cantor
<>
wrote:
Exposing SAML 2.0 assertions is something we probably will support, but even
that isn't going to be all that useful in most cases. I'm sure that will
extend to SAML 1.1, but that doesn't mean you should create profiles to
reuse assertions that are no longer valid and were never intended to be
forwarded.
Agreed. The intent is to leverage previously issued assertions for
the purposes of access control. A SAML authentication assertion
contains useful information a Grid SP can use for authorization. A
SAML V2.0 authentication response, in particular, contains an authn
context that would be *very* useful.
So a Grid SP uses a forwarded authentication assertion for access
control purposes only (authentication to the Grid SP is based on
X.509). To emphasize this fact, the authentication assertion might be
nested inside an attribute assertion, something like this:
<!-- shib-enabled community portal -->
<saml:Assertion ...>
<saml:Conditions ...>...</saml:Conditions>
<saml:Advice>
<!-- attribute assertion obtained from campus Shib AA -->
<saml:Assertion ...>...</saml:Assertion>
<!-- authn assertion obtained from campus Shib IdP (if available) -->
<saml:Assertion ...>...</saml:Assertion>
</saml:Advice>
<!-- community attributes -->
<saml:AttributeStatement>
<!-- the subject of this proxy -->
<saml:Subject>...</saml:Subject>
...
</saml:AttributeStatement>
</saml:Assertion>
See the wiki topic
https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/X509BindingSAML
for additional examples.
> This user requirement is driven by two use cases, the Shib-enabled
> TeraGrid Science Gateway and the IdP Proxy:
>
> https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/TeraGrid
> https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/SAMLIdPProxy
That proxy profile is at odds with the same term used in SAML 2.0, so that
seems potentially confusing. I'd at least qualify it somehow as a different
profile.
I've read the SAML V2.0 bits re IdP Proxying but I don't see a
conflict. Can you elaborate where it falls down?
I think the IdP Proxy use case benefits from nested assertions in the
same way the Grid SP does. A nested assertion is asserted by some IdP
further back in the chain. The more distance between the consumer and
the producer in the chain, the deeper the nesting.
Tom
- exposing assertions at the SP, Tom Scavo, 09/23/2006
- RE: exposing assertions at the SP, Scott Cantor, 09/24/2006
- Re: exposing assertions at the SP, Tom Scavo, 09/25/2006
- RE: exposing assertions at the SP, Scott Cantor, 09/25/2006
- Re: exposing assertions at the SP, Tom Scavo, 09/25/2006
- RE: exposing assertions at the SP, Scott Cantor, 09/25/2006
- Re: exposing assertions at the SP, Tom Scavo, 09/25/2006
- RE: exposing assertions at the SP, Scott Cantor, 09/25/2006
- Re: exposing assertions at the SP, Tom Scavo, 09/25/2006
- RE: exposing assertions at the SP, Scott Cantor, 09/24/2006
Archive powered by MHonArc 2.6.16.