myVocs-GridShib Integration

In myVocs, a virtual organization (VO) consists of any number of web resources (see the topic Introduction to myVocs). With GridShib installed, the same VO may include any number of grid resources protected by Grid SPs:

A new Grid User will obtain a short-term X.509 credential from a component called the GridShibCertificateAuthority. The GridShibCertificateAuthority is integrated into myVocs in one of two ways. Either it is protected by a VO SP (like any other VO resource) or by the SP that belongs to the Shibboleth federation. The following diagram illustrates the latter scenario:

The corresponding myVocs flow for grid resources is described below:

1. A browser client requests the GridShib CA protected by a federation SP. If a security context for the principal already exists at the federation SP, skip to step 10.
2. The client is redirected to the federation !IdP (ignoring a possible interaction with the federation WAYF).
3. The client makes a Shibboleth Shibboleth.AuthnRequest to the SSO service at the federation !IdP. If a security context for the principal does not exist at the federation !IdP, the !IdP identifies the principal (details omitted).
4. The !IdP updates security context for this principal, issues an authentication assertion, and returns an authentication response to the client.
5. The client submits the authentication response to the assertion consumer service at the federation SP. The assertion consumer service validates the authentication assertion in the response and passes control to the attribute requester.
6. The attribute requester queries the attribute authority at the federation !IdP.
7. The attribute authority returns an attribute response to the attribute requester. Included in the response is the local principal name of this principal.
8. The federation SP updates its security context for this principal and redirects the client to the GridShib CA.
9. The client requests the GridShib CA, the same request made at step 1.
10. The GridShib CA issues an X.509 credential for the principal, persists the subject DN and the principal name to the VO database, and returns the credential to the client desktop.

Alternatively, the GridShibCertificateAuthority might be protected by a VO SP:

In this case, the protocol flow is identical to that of an ordinary VO webapp (see the topic Introduction to myVocs) except for an additional exchange between the GridShibCertificateAuthority and the VO !IdP (steps 19–22), which persists the newly minted certificate to myVocs. In either case, throughout the life of the resulting credential, a nonbrowser desktop client may request a VO resource protected by a GridSP. The protocol used to access the grid resource is the four-step, classic GridShib profile.