GridShib Attribute Exchange Profile with Attribute Push

Preconditions

  • The Grid User and the Grid Service Provider (SP) each possess an X.509 credential.
  • The Grid User has an account with a Shibboleth Identity Provider (!IdP).
  • The Grid Client application has access to the Grid User's X.509 credential.
  • The Grid User's X.509 certificate contains a SAML attribute assertion.
  • The !IdP and the Grid SP each have been assigned a unique identifier called a providerId.
  • The Grid SP and the !IdP rely on the same metadata format and exchange this metadata out-of-band.

Protocol Flow

Overview

This GridShib profile consists of two (2) steps:

  1. The Grid Client requests a service at the Grid SP.
  2. The Grid SP performs the requested operation and returns a response to the Grid Client.

GridShib Attribute Push Profile

Outline

  1. The Grid Client requests a service at the Grid SP. The Client presents an X.509 credential with embedded attribute assertion to the Grid SP.
  2. The Grid SP authenticates the Client, parses the attribute assertion, performs the requested operation, and returns a response to the Grid Client.

Examples

Issues

  • No labels