Implementation Plan

Proposed: October 12, 2006

Development

• GridShib for GT
  • implement Simple SAML PIP
  • extract SAML from the last certificate in the chain (EEC or proxy)
  • expect zero or one SAML assertions with 1–2 statements
  • assertions are self-issued and unsigned
  • assertions do not contain Conditions or SubjectConfirmation elements
  • assertions do not contain an Advice element (i.e., ignore nested assertions)
  • statements may be AttributeStatement or AuthenticationStatement
  • log all attributes including XML attributes of AuthenticationStatement
  • (do not query if SAML is pushed)
  • leverage Globus SAML library (below) especially SAMLSubjectAssertion class
• GridShib for Shib
  • [done] rename package edu.internet2.middleware.shibboleth to edu.uiuc.ncsa.middleware.shibboleth
  • separate Certificate Registry from main distribution (make it totally optional)
  • [in progress] implement SAML Issuer Tool
• GridShib Authentication Assertion Client
  • (will be refactored as a result of SAML X.509 Binding Tool)
  • conform to SAML V1.1 Subject-based Assertion Profile
  • [done] hardwire the assertion issuer (the issuer of the assertion MUST be the subject of the proxy)
  • [done] leverage SAML X.509 Binding Tool (below)
  • expand command-line options
• SAML Assertion Tools
  • https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/SAMLAssertionTools
  • [in progress] implement GridShib SAML Issuer Tool
  • [in progress] SAML X.509 Binding Tool
    • implement X.509 Binding for SAML Assertions
    • clone org.globus.wsrf.client.EmbedAssertion
    • accept single SAML assertion as input
    • (bind !IdP entityID to SIA extension)
  • implement GridShib Attribute Query Client
• Globus SAML Library
  • [done] augment license headers (if needed)
  • [done] rename package org.opensaml.nameid to org.globus.opensaml11.saml.nameid
  • [done] implement object equivalence
  • [done] enhance SAMLNameIdentifier class (and its unit test)
  • implement SAMLAssertion.checkConditions method
  • [done] implement SAMLSubjectAssertion class (and corresponding unit test)
  • [done] implement SAMLSubjectAssertion.checkValidity method
  • [done] implement "very strongly matches" in SAMLSubjectAssertion
  • [in progress] implement "strongly matches" in SAMLSubject
  • [done] enhance SAMLSubjectTest
  • [done] implement concrete SAMLSubjectStatement class
  • override SAMLResponse.checkValidity method
  • commit package org.globus.opensaml11.saml to CVS
• GridShib CA
  • register certificate on the front channel
  • bind simple attribute assertion to EEC
  • (do not bind SSO assertions)
  • bind !IdP entityID to SIA extension

Specifications

• [in progress] Subject-based Assertion Profile for SAML V1.1
  • http://dev.globus.org/wiki/SAML_in_X.509_Validation#Subject-based_Assertion_Profile
  • specify general requirements for SAML V1.1 assertions to make them equivalent to SAML V2.0 assertions
  • define the notion of a set of subject-based assertions
• X.509 Binding for SAML Assertions
  • http://dev.globus.org/wiki/SAML_in_X.509_Validation
  • https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/X509BindingSAML

Deliverables

• GridShib for GT V0.6
• GridShib for Shib V0.6 (Jan 2007)
  • improved packaging and documentation
  • Shib SAML Issuer Tool
• GridShib SAML Tools (Jan 2007)
  • GridShib SAML Issuer Tool
  • SAML X.509 Binding Tool
  • GridShib Attribute Query Client
• Globus SAML Library V?
• Subject-based Assertion Profile for SAML V1.1
• X.509 Binding for SAML Assertions