shibboleth-dev - Re: Sub: Can I send decisions from RM to the Portal ??
Subject: Shibboleth Developers
List archive
- From: "Tom Scavo" <>
- To:
- Cc: "GridShib Users" <>
- Subject: Re: Sub: Can I send decisions from RM to the Portal ??
- Date: Thu, 30 Nov 2006 09:13:19 -0500
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pWhuNEr7YkF18xmw5f4Qux4AgIAbLamjQHrNSSBad5C6iDbP6i+W2FFAOoVV7BmrMqWmzkVVHYtlXnEAnggiXoOV8DsUxLB1jwaQ7ztgmtBBJ4/MIsND9MSphggAD376jBM9dSn0NSuJ0VP+n6fQ/xOVSk9O0uD8wtcDlKcb0NY=
On 11/30/06, Venkata Krishna Ravula
<>
wrote:
1. When the Resouce Manger makes an access control decison, the decision is
then sent to the Portal along with the requested resource.
I'm not sure what you mean by "Resource Manager"? Can you elaborate
on this step?
2. The portal on checking the attributes ( through some mechanism ),
forwards it to the Globus Toolkit.
If you're talking about the attributes asserted by Shib to the portal,
it's probably not appropriate to simply forward them to a backend
service (such as GT). Presumably these attributes were provided to
the portal for access control to the portal. Moreover, the attribute
assertion obtained from Shib is most likely targeted at the portal
since it was issued subject to policy with respect to the portal.
Shib doesn't know anything about the backend service, it only knows
about the portal.
That said, there are situations where forwarding and/or repackaging of
attributes is appropriate. I won't go into details here, however.
3. Now we have the Portal and the Globus Toolkit to talk to each other
through some certificates inorder to validate the genuinity of the data
(attributes) received.
Yes, the portal (like all Grid Clients) authenticates to GT with an
X.509 certificate. This certificate may contain attributes. For
example, VOMS uses X.509 attribute certificates to bind attributes.
GridShib, on the other hand, binds SAML assertions to X.509. Either
way, the portal pushes attributes to GT by binding these attributes to
an X.509 certificate.
Although the portal could bind the attribute assertion obtained from
Shib to the certificate, this is probably not appropriate (as
mentioned above). However, the portal may be authoritative for
certain attributes, say, VO membership attributes. If the portal were
able to resolve these attributes, and then issue and bind SAML to an
X.509 certificate, it could use this certificate to authenticate to
GT.
4. Once the globus establishes, the genuine owner as the Portal, it then
provides the resource.
I'm not sure what you mean by this. "Owner" of what?
Hope this helps,
Tom
- Sub: Can I send decisions from RM to the Portal ??, Venkata Krishna Ravula, 11/30/2006
- Re: Sub: Can I send decisions from RM to the Portal ??, Tom Scavo, 11/30/2006
- Re: Sub: Can I send decisions from RM to the Portal ??, Venkata Krishna Ravula, 11/30/2006
- Re: Sub: Can I send decisions from RM to the Portal ??, Tom Scavo, 11/30/2006
- RE: Sub: Can I send decisions from RM to the Portal ??, Scott Cantor, 11/30/2006
- Re: Sub: Can I send decisions from RM to the Portal ??, Tom Scavo, 11/30/2006
- Re: Sub: Can I send decisions from RM to the Portal ??, Venkata Krishna Ravula, 11/30/2006
- Re: Sub: Can I send decisions from RM to the Portal ??, Tom Scavo, 11/30/2006
Archive powered by MHonArc 2.6.16.