[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Handle-globus] saml attribute query example - gridshib-profile-05
I've attached the last "gridshib-profile-05.txt" as it is maintained for
the gridshib project (http://grid.ncsa.uiuc.edu/GridShib/)(thanks to Tom
Scavo and Tim Freeman).
The attached is useful because it gives some example of how saml 1.1
attr queries are used within shibboleth and gridshib.
The only part that is really interesting for us right now is the soap
messages as they are exchanged, as they are good example of how the
exchange looks like.
Enjoy, Frank.
--------------------------------------------------------
GridShib Profile [GridShib Profile [gridshib-profile-05]
PRECONDITIONS
+ The Grid User and the Grid Service each possess an X.509 credential.
+ The Grid User is enrolled with a Shibboleth Identity Provider (IdP).
[REWORD]
+ The IdP is able to map the Grid User's X.509 Subject DN to one and
only one user in its security domain.
+ The IdP and the Grid Service each have been assigned a unique
identifier called a providerId.
+ The Grid Client application has access to the Grid User's X.509
certificate and the IdP providerId.
+ The Grid Service and the IdP rely on the same metadata format and
exchange this metadata out-of-band.
OVERVIEW
This GridShib profile consists of four steps:
1) The Grid Client POSTs a SOAP request to the Grid Service.
2) The Grid Service POSTs a SAML SOAP message to the AA at the IdP.
3) The AA returns an attribute assertion to the Grid Service.
4) The Grid Service performs the requested operation and returns a
response to the Grid Client.
PROFILE
1) The Grid Client POSTs a SOAP request to the Grid Service.
Accompanying the request is the following information:
+ The providerId of the Grid Client's IdP
+ The X.509 Subject DN of the client cert
2) The Grid Service validates the request and POSTs a SAML SOAP request
to the attribute authority (AA) at the IdP:
POST /shibboleth/AA HTTP/1.1
Host: gridshib.uchicago.edu
Content-Type: text/xml
Content-Length: nnn
SOAPAction: http://www.oasis-open.org/committees/security
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";>
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<samlp:Request
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
MajorVersion="1" MinorVersion="1"
IssueInstant="2004-12-05T09:22:04Z"
RequestID="aaf23196-1773-2113-474a-fe114412ab72">
<samlp:AttributeQuery
Resource="https://globus.org/gridshib";> <!-- Grid Service
providerId -->
<saml:Subject>
<saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
NameQualifier="http://uchicago.edu/gridshib/idp";> <!-- IdP
providerId -->
<!-- insert X.509 Subject DN here -->
</saml:NameIdentifier>
</saml:Subject>
<saml:AttributeDesignator
AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
<saml:AttributeDesignator
AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
</samlp:AttributeQuery>
</samlp:Request>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
The following conditions on the <samlp:AttributeQuery> element MUST be
satisfied:
+ The value of the Resource attribute of the <samlp:AttributeQuery>
element is the providerId of the Grid Service.
+ The value of the Format attribute of the <saml:NameIdentifier>
element is the standard SAML URI
"urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName".
+ The value of the NameQualifier attribute of the
<saml:NameIdentifier> element is the providerId of the Grid Client's IdP
at step 1.
+ The value of the <saml:Subject> element is the X.509 Subject DN
(suitably encoded) associated with the Grid Client at step 1.
The requested attributes (eduPersonAffiliation and
eduPersonPrincipalName) are for illustration only.
3) The AA at the IdP processes the request, formulates an attribute
assertion and returns the attributes to the Grid Service:
HTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: nnnn
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";>
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
InResponseTo="aaf23196-1773-2113-474a-fe114412ab72"
IssueInstant="2004-12-05T09:22:05Z"
MajorVersion="1" MinorVersion="1"
ResponseID="b07b804c-7c29-ea16-7300-4f3d6f7928ac">
<samlp:Status>
<samlp:StatusCode Value="samlp:Success"/>
</samlp:Status>
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
MajorVersion="1" MinorVersion="1"
AssertionID="a144e8f3-adad-594a-9649-924517abe933"
IssueInstant="2004-12-05T09:22:05Z"
Issuer="http://uchicago.edu/gridshib/idp";> <!-- IdP providerId -->
<saml:Conditions
NotBefore="2004-12-05T09:17:05Z"
NotOnOrAfter="2004-12-05T09:52:05Z">
<saml:AudienceRestrictionCondition>
<!-- Grid Service providerId -->
<saml:Audience>https://globus.org/gridshib</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
NameQualifier="http://uchicago.edu/gridshib/idp";> <!--
IdP providerId -->
<!-- insert X.509 Subject DN here -->
</saml:NameIdentifier>
</saml:Subject>
<saml:Attribute
AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
<saml:AttributeValue>
member
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute
AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
<saml:AttributeValue Scope="uchicago.edu">
gridshib
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
4) The Grid Service parses the attribute assertion, creates a security
context, makes an access control decision, performs the requested
operation and returns a response to the Grid Client.
SECURITY AND PRIVACY CONSIDERATIONS
TBA
METADATA
An example of Shibboleth Identity Provider metadata: [UPDATE]
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
entityID="http://uchicago.edu/gridshib/idp";> <!-- IdP providerId -->
<!-- insert ds:Signature element here -->
<!-- insert md:IDPSSODescriptor element here -->
<md:AttributeAuthorityDescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:KeyName>IdP AA Key</ds:KeyName>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:AttributeService
Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
Location="https://gridshib.uchicago.edu/shibboleth/AA"/>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
</md:NameIDFormat>
<saml:Attribute
Name="urn:mace:dir:attribute-def:eduPersonAffiliation"
NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri">
<saml:AttributeValue>member</saml:AttributeValue>
<saml:AttributeValue>student</saml:AttributeValue>
<saml:AttributeValue>faculty</saml:AttributeValue>
<saml:AttributeValue>employee</saml:AttributeValue>
<saml:AttributeValue>staff</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute
Name="urn:mace:dir:attribute-def:eduPersonPrincipalName"
NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
</md:AttributeAuthorityDescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en">
Shibboleth Identity Provider
</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">
Shibboleth Identity Provider @ Some Location
</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en">
http://www.uchicago.edu/
</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="technical">
<md:SurName>Shibboleth IdP Support</md:SurName>
<md:EmailAddress>mailto:shib-support@uchicago.edu</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
The following conditions on the above <md:EntityDescriptor> element MUST
be satisfied:
+ The value of the entityID attribute of the <md:EntityDescriptor>
element is the providerId of the IdP.
+ The value of the Binding attribute of the <md:AttributeService>
element is "urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding".
+ The value of the Location attribute of the <md:AttributeService>
element is used at step 2 of the profile.
+ There must be one <md:NameIDFormat> element whose value is
"urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName". Other
identifiers may be supported by the IdP, that is, other
<md:NameIDFormat> elements may be called out in metadata.
The <saml:Attribute> elements are for illustration only. The IdP is not
required to advertise the attributes it will supply in response to an
attribute query.
An example of Shibbolized Grid Service metadata:
<md:EntitiesDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata
../schemas/saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0
../schemas/shibboleth-metadata-1.0.xsd
http://www.w3.org/2000/09/xmldsig# ../schemas/xmldsig-core-schema.xsd"
Name="urn:mace:shibboleth:examples"
validUntil="2010-01-01T00:00:00Z">
<Extensions>
<!-- This extension contains the cert of the CA that signed the grid
container SSL client cert. -->
<shibmeta:KeyAuthority VerifyDepth="1">
<!-- cert of CA that signed grid container SSL client cert -->
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICaTCCAdKgAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQ0wCwYDVQQKEwRHcmlk
MRMwEQYDVQQLEwpHbG9idXNUZXN0MRYwFAYDVQQLEw1zaW1wbGVDQS1wcm5iMRkw
FwYDVQQDExBHbG9idXMgU2ltcGxlIENBMB4XDTA1MDExMTAyMzUzNloXDTEwMDEx
MDAyMzUzNlowVzENMAsGA1UEChMER3JpZDETMBEGA1UECxMKR2xvYnVzVGVzdDEW
MBQGA1UECxMNc2ltcGxlQ0EtcHJuYjEZMBcGA1UEAxMQR2xvYnVzIFNpbXBsZSBD
QTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1qCbuNZsvCEEmcsilNMeAGAJ
cVWXEviCnLwvY0KqR/6R8UY5K5COAZqzS5IH1ETspouDqlkryp63FfmqJCV0In1l
GrX3EGTuEHfdGF//JLSMBzdaouN70f0UBjLyu7/A8rGAclKnBRm2/undf1sq9Iw4
GXoqmOKIZBMFexcGF6ECAwEAAaNFMEMwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
FgQU9Jdn3USfYzVfZeBOzpGh3D+f5FAwEQYJYIZIAYb4QgEBBAQDAgAHMA0GCSqG
SIb3DQEBBAUAA4GBAIrQpT9XJRRaXRrWb1P4+eEXeXEvx9XtRHYkIsme21awAtas
f5YEd5K0JeHo4Fr057rJHrJHOk3OoVbtUI8EXHpSo5uQ4/tjiLfx63oifjeN3yXa
QAhU8aeRl1BRARIjV4om4dNn3WKFAn2rE+WmkMa0+EjsqnA79eCAC0y+gt39
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</shibmeta:KeyAuthority>
</Extensions>
<md:EntityDescriptor
entityID="https://globus.org/gridshib";> <!-- Grid Service
providerId -->
<!-- insert ds:Signature element here -->
<md:RoleDescriptor
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:mdext="urn:oasis:names:tc:SAML:2.0:metadata:extensions"
xsi:type="mdext:AttributeRequesterDescriptorType"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
<KeyDescriptor use="signing">
<!-- grid container SSL client cert -->
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICMjCCAZugAwIBAgIBATANBgkqhkiG9w0BAQQFADBXMQ0wCwYDVQQKEwRHcmlk
MRMwEQYDVQQLEwpHbG9idXNUZXN0MRYwFAYDVQQLEw1zaW1wbGVDQS1wcm5iMRkw
FwYDVQQDExBHbG9idXMgU2ltcGxlIENBMB4XDTA1MDExMTAyMzg0MFoXDTA2MDEx
MTAyMzg0MFowUDENMAsGA1UEChMER3JpZDETMBEGA1UECxMKR2xvYnVzVGVzdDEW
MBQGA1UECxMNc2ltcGxlQ0EtcHJuYjESMBAGA1UEAxMJaG9zdC9wcm5iMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDY4GNIp3JOm9jLS90Mkdo9dsASKSFgzsYp
hhqoMhYlDiXN0MY5UAXXu94ODtSBg3Yh/QF7R64flwKO4GTabYwVPvnfA6XQVSSu
9CAh3OEB7V5belt8FLEnWYD7K5NvXM494IKFhcbg9MFsLSoFdHCpzJka98SqlgXL
MfQHMruCPQIDAQABoxUwEzARBglghkgBhvhCAQEEBAMCBPAwDQYJKoZIhvcNAQEE
BQADgYEAuKRpogiMwIv5klQV4dTmzCdS1FA6hTDRguM+2HYqA2TrmAlsl7X3HPOJ
1tY9K3YDN55Uc/cnQ5Ok+NqK8W2gHcLgEGt2blT8aSCR/j1kYF+zTUJTsH1g7xps
rJZDenZvq1Umb/RgFYPjWrOtzsB9oFXJPnA3pFaukKuA3oty/w8=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
</md:NameIDFormat>
<md:AttributeConsumingService isDefault="true" index="0">
<md:ServiceName xml:lang="en">
Shibbolized Grid Service
</md:ServiceName>
<md:RequestedAttribute
Name="urn:mace:dir:attribute-def:eduPersonAffiliation"
NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri">
</md:RequestedAttribute>
<md:RequestedAttribute
Name="urn:mace:dir:attribute-def:eduPersonPrincipalName"
NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri">
</md:RequestedAttribute>
</md:AttributeConsumingService>
</md:RoleDescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en">
GridShib Service Provider
</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">
GridShib Service Provider @ Some Location
</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en">
http://www.globus.org/
</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="technical">
<md:SurName>GridShib Support</md:SurName>
<md:EmailAddress>mailto:gridshib-support@globus.org</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
</md:EntitiesDescriptor>
The following conditions on the above <md:EntityDescriptor> element MUST
be satisfied:
+ The value of the entityID attribute of the <md:EntityDescriptor>
element is the providerId of the Grid Service.
+ The value of the <md:NameIDFormat> element is
"urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName". No other
<md:NameIDFormat> elements are allowed.
The <md:RequestedAttribute> elements are for illustration only. The IdP
may use these elements to supplement its attribute release policy.
]
PRECONDITIONS
+ The Grid User and the Grid Service each possess an X.509 credential.
+ The Grid User is enrolled with a Shibboleth Identity Provider (IdP).
[REWORD]
+ The IdP is able to map the Grid User's X.509 Subject DN to one and
only one user in its security domain.
+ The IdP and the Grid Service each have been assigned a unique
identifier called a providerId.
+ The Grid Client application has access to the Grid User's X.509
certificate and the IdP providerId.
+ The Grid Service and the IdP rely on the same metadata format and
exchange this metadata out-of-band.
OVERVIEW
This GridShib profile consists of four steps:
1) The Grid Client POSTs a SOAP request to the Grid Service.
2) The Grid Service POSTs a SAML SOAP message to the AA at the IdP.
3) The AA returns an attribute assertion to the Grid Service.
4) The Grid Service performs the requested operation and returns a
response to the Grid Client.
PROFILE
1) The Grid Client POSTs a SOAP request to the Grid Service.
Accompanying the request is the following information:
+ The providerId of the Grid Client's IdP
+ The X.509 Subject DN of the client cert
2) The Grid Service validates the request and POSTs a SAML SOAP request
to the attribute authority (AA) at the IdP:
POST /shibboleth/AA HTTP/1.1
Host: gridshib.uchicago.edu
Content-Type: text/xml
Content-Length: nnn
SOAPAction: http://www.oasis-open.org/committees/security
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";>
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<samlp:Request
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
MajorVersion="1" MinorVersion="1"
IssueInstant="2004-12-05T09:22:04Z"
RequestID="aaf23196-1773-2113-474a-fe114412ab72">
<samlp:AttributeQuery
Resource="https://globus.org/gridshib";> <!-- Grid Service
providerId -->
<saml:Subject>
<saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
NameQualifier="http://uchicago.edu/gridshib/idp";> <!-- IdP
providerId -->
<!-- insert X.509 Subject DN here -->
</saml:NameIdentifier>
</saml:Subject>
<saml:AttributeDesignator
AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
<saml:AttributeDesignator
AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
</samlp:AttributeQuery>
</samlp:Request>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
The following conditions on the <samlp:AttributeQuery> element MUST be
satisfied:
+ The value of the Resource attribute of the <samlp:AttributeQuery>
element is the providerId of the Grid Service.
+ The value of the Format attribute of the <saml:NameIdentifier>
element is the standard SAML URI
"urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName".
+ The value of the NameQualifier attribute of the
<saml:NameIdentifier> element is the providerId of the Grid Client's IdP
at step 1.
+ The value of the <saml:Subject> element is the X.509 Subject DN
(suitably encoded) associated with the Grid Client at step 1.
The requested attributes (eduPersonAffiliation and
eduPersonPrincipalName) are for illustration only.
3) The AA at the IdP processes the request, formulates an attribute
assertion and returns the attributes to the Grid Service:
HTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: nnnn
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";>
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
InResponseTo="aaf23196-1773-2113-474a-fe114412ab72"
IssueInstant="2004-12-05T09:22:05Z"
MajorVersion="1" MinorVersion="1"
ResponseID="b07b804c-7c29-ea16-7300-4f3d6f7928ac">
<samlp:Status>
<samlp:StatusCode Value="samlp:Success"/>
</samlp:Status>
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
MajorVersion="1" MinorVersion="1"
AssertionID="a144e8f3-adad-594a-9649-924517abe933"
IssueInstant="2004-12-05T09:22:05Z"
Issuer="http://uchicago.edu/gridshib/idp";> <!-- IdP providerId -->
<saml:Conditions
NotBefore="2004-12-05T09:17:05Z"
NotOnOrAfter="2004-12-05T09:52:05Z">
<saml:AudienceRestrictionCondition>
<!-- Grid Service providerId -->
<saml:Audience>https://globus.org/gridshib</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
NameQualifier="http://uchicago.edu/gridshib/idp";> <!--
IdP providerId -->
<!-- insert X.509 Subject DN here -->
</saml:NameIdentifier>
</saml:Subject>
<saml:Attribute
AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
<saml:AttributeValue>
member
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute
AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
<saml:AttributeValue Scope="uchicago.edu">
gridshib
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
4) The Grid Service parses the attribute assertion, creates a security
context, makes an access control decision, performs the requested
operation and returns a response to the Grid Client.
SECURITY AND PRIVACY CONSIDERATIONS
TBA
METADATA
An example of Shibboleth Identity Provider metadata: [UPDATE]
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
entityID="http://uchicago.edu/gridshib/idp";> <!-- IdP providerId -->
<!-- insert ds:Signature element here -->
<!-- insert md:IDPSSODescriptor element here -->
<md:AttributeAuthorityDescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:KeyName>IdP AA Key</ds:KeyName>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:AttributeService
Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
Location="https://gridshib.uchicago.edu/shibboleth/AA"/>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
</md:NameIDFormat>
<saml:Attribute
Name="urn:mace:dir:attribute-def:eduPersonAffiliation"
NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri">
<saml:AttributeValue>member</saml:AttributeValue>
<saml:AttributeValue>student</saml:AttributeValue>
<saml:AttributeValue>faculty</saml:AttributeValue>
<saml:AttributeValue>employee</saml:AttributeValue>
<saml:AttributeValue>staff</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute
Name="urn:mace:dir:attribute-def:eduPersonPrincipalName"
NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
</md:AttributeAuthorityDescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en">
Shibboleth Identity Provider
</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">
Shibboleth Identity Provider @ Some Location
</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en">
http://www.uchicago.edu/
</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="technical">
<md:SurName>Shibboleth IdP Support</md:SurName>
<md:EmailAddress>mailto:shib-support@uchicago.edu</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
The following conditions on the above <md:EntityDescriptor> element MUST
be satisfied:
+ The value of the entityID attribute of the <md:EntityDescriptor>
element is the providerId of the IdP.
+ The value of the Binding attribute of the <md:AttributeService>
element is "urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding".
+ The value of the Location attribute of the <md:AttributeService>
element is used at step 2 of the profile.
+ There must be one <md:NameIDFormat> element whose value is
"urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName". Other
identifiers may be supported by the IdP, that is, other
<md:NameIDFormat> elements may be called out in metadata.
The <saml:Attribute> elements are for illustration only. The IdP is not
required to advertise the attributes it will supply in response to an
attribute query.
An example of Shibbolized Grid Service metadata:
<md:EntitiesDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata
../schemas/saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0
../schemas/shibboleth-metadata-1.0.xsd
http://www.w3.org/2000/09/xmldsig# ../schemas/xmldsig-core-schema.xsd"
Name="urn:mace:shibboleth:examples"
validUntil="2010-01-01T00:00:00Z">
<Extensions>
<!-- This extension contains the cert of the CA that signed the grid
container SSL client cert. -->
<shibmeta:KeyAuthority VerifyDepth="1">
<!-- cert of CA that signed grid container SSL client cert -->
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICaTCCAdKgAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQ0wCwYDVQQKEwRHcmlk
MRMwEQYDVQQLEwpHbG9idXNUZXN0MRYwFAYDVQQLEw1zaW1wbGVDQS1wcm5iMRkw
FwYDVQQDExBHbG9idXMgU2ltcGxlIENBMB4XDTA1MDExMTAyMzUzNloXDTEwMDEx
MDAyMzUzNlowVzENMAsGA1UEChMER3JpZDETMBEGA1UECxMKR2xvYnVzVGVzdDEW
MBQGA1UECxMNc2ltcGxlQ0EtcHJuYjEZMBcGA1UEAxMQR2xvYnVzIFNpbXBsZSBD
QTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1qCbuNZsvCEEmcsilNMeAGAJ
cVWXEviCnLwvY0KqR/6R8UY5K5COAZqzS5IH1ETspouDqlkryp63FfmqJCV0In1l
GrX3EGTuEHfdGF//JLSMBzdaouN70f0UBjLyu7/A8rGAclKnBRm2/undf1sq9Iw4
GXoqmOKIZBMFexcGF6ECAwEAAaNFMEMwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
FgQU9Jdn3USfYzVfZeBOzpGh3D+f5FAwEQYJYIZIAYb4QgEBBAQDAgAHMA0GCSqG
SIb3DQEBBAUAA4GBAIrQpT9XJRRaXRrWb1P4+eEXeXEvx9XtRHYkIsme21awAtas
f5YEd5K0JeHo4Fr057rJHrJHOk3OoVbtUI8EXHpSo5uQ4/tjiLfx63oifjeN3yXa
QAhU8aeRl1BRARIjV4om4dNn3WKFAn2rE+WmkMa0+EjsqnA79eCAC0y+gt39
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</shibmeta:KeyAuthority>
</Extensions>
<md:EntityDescriptor
entityID="https://globus.org/gridshib";> <!-- Grid Service
providerId -->
<!-- insert ds:Signature element here -->
<md:RoleDescriptor
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:mdext="urn:oasis:names:tc:SAML:2.0:metadata:extensions"
xsi:type="mdext:AttributeRequesterDescriptorType"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
<KeyDescriptor use="signing">
<!-- grid container SSL client cert -->
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICMjCCAZugAwIBAgIBATANBgkqhkiG9w0BAQQFADBXMQ0wCwYDVQQKEwRHcmlk
MRMwEQYDVQQLEwpHbG9idXNUZXN0MRYwFAYDVQQLEw1zaW1wbGVDQS1wcm5iMRkw
FwYDVQQDExBHbG9idXMgU2ltcGxlIENBMB4XDTA1MDExMTAyMzg0MFoXDTA2MDEx
MTAyMzg0MFowUDENMAsGA1UEChMER3JpZDETMBEGA1UECxMKR2xvYnVzVGVzdDEW
MBQGA1UECxMNc2ltcGxlQ0EtcHJuYjESMBAGA1UEAxMJaG9zdC9wcm5iMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDY4GNIp3JOm9jLS90Mkdo9dsASKSFgzsYp
hhqoMhYlDiXN0MY5UAXXu94ODtSBg3Yh/QF7R64flwKO4GTabYwVPvnfA6XQVSSu
9CAh3OEB7V5belt8FLEnWYD7K5NvXM494IKFhcbg9MFsLSoFdHCpzJka98SqlgXL
MfQHMruCPQIDAQABoxUwEzARBglghkgBhvhCAQEEBAMCBPAwDQYJKoZIhvcNAQEE
BQADgYEAuKRpogiMwIv5klQV4dTmzCdS1FA6hTDRguM+2HYqA2TrmAlsl7X3HPOJ
1tY9K3YDN55Uc/cnQ5Ok+NqK8W2gHcLgEGt2blT8aSCR/j1kYF+zTUJTsH1g7xps
rJZDenZvq1Umb/RgFYPjWrOtzsB9oFXJPnA3pFaukKuA3oty/w8=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
</md:NameIDFormat>
<md:AttributeConsumingService isDefault="true" index="0">
<md:ServiceName xml:lang="en">
Shibbolized Grid Service
</md:ServiceName>
<md:RequestedAttribute
Name="urn:mace:dir:attribute-def:eduPersonAffiliation"
NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri">
</md:RequestedAttribute>
<md:RequestedAttribute
Name="urn:mace:dir:attribute-def:eduPersonPrincipalName"
NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri">
</md:RequestedAttribute>
</md:AttributeConsumingService>
</md:RoleDescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en">
GridShib Service Provider
</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">
GridShib Service Provider @ Some Location
</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en">
http://www.globus.org/
</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="technical">
<md:SurName>GridShib Support</md:SurName>
<md:EmailAddress>mailto:gridshib-support@globus.org</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
</md:EntitiesDescriptor>
The following conditions on the above <md:EntityDescriptor> element MUST
be satisfied:
+ The value of the entityID attribute of the <md:EntityDescriptor>
element is the providerId of the Grid Service.
+ The value of the <md:NameIDFormat> element is
"urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName". No other
<md:NameIDFormat> elements are allowed.
The <md:RequestedAttribute> elements are for illustration only. The IdP
may use these elements to supplement its attribute release policy.
--
Frank Siebenlist franks@mcs.anl.gov
The Globus Alliance - Argonne National Laboratory
_______________________________________________
Handle-globus mailing list
Handle-globus@cnri.reston.va.us
http://www.cnri.reston.va.us/mailman/listinfo/handle-globus