GridShib Attribute Exchange Profile with Attribute Push
Preconditions
- The Grid User and the Grid Service Provider (SP) each possess an X.509 credential.
- The Grid User has an account with a Shibboleth Identity Provider (!IdP).
- The Grid Client application has access to the Grid User's X.509 credential.
- The Grid User's X.509 certificate contains a SAML attribute assertion.
- The !IdP and the Grid SP each have been assigned a unique identifier called a providerId.
- The Grid SP and the !IdP rely on the same metadata format and exchange this metadata out-of-band.
Protocol Flow
Overview
This GridShib profile consists of two (2) steps:
- The Grid Client requests a service at the Grid SP.
- The Grid SP performs the requested operation and returns a response to the Grid Client.
Outline
- The Grid Client requests a service at the Grid SP. The Client presents an X.509 credential with embedded attribute assertion to the Grid SP.
- The Grid SP authenticates the Client, parses the attribute assertion, performs the requested operation, and returns a response to the Grid Client.