The PIP should do roughly what the SAMLAuthzAssertionPIP does in wsrf core's trunk:
wsrf/java/core/source/src/org/globus/wsrf/impl/security/authorization/SAMLAuthzAssertionPIP.java
... but for authentication instead of authorization SAML assertions.
TODO:
We need to collectively figure out the right OID to use.
Note:
The assertion must be in the EEC, not any derivative proxy. Signature of assertion will not be verified (and is in fact not even expected; since the assertion will be in the EEC itself, the signer of the EEC is the signer of the assertion in the profiles). In the SAML assertion itself, if the issuer of the assertion is not the NameQualifier of the NameIdentifier , log a warning statement only, this is not an error.
Relevant quote from AttributePull:
If the Grid SP chooses to query for attributes, the query MUST be sent to the
!IdP corresponding to the providerId given in the !NameIdentifier/@NameQualifier
attribute in the statement. Metadata MAY be used to determine the location
endpoint of the corresponding !IdP.
Internal details:
The message context should be populated with an object in a well known location (as one of the caller's credentials, see retrieval of similar caller attribute class in !ShibbolethPDP). The object should contain the authenticated name as well as a special field for the NameQualifier . For now, respecting the authentication method is not necessary but we may want to consider storing it in the object now so it is at hand for future uses.