GridShib Non-Browser !IdP Discovery Profile
A Grid SP that queries for attributes MUST know the client's preferred !IdP. There are basically two approaches to this problem: either the Grid SP dynamically queries some 3rd-party discovery service or the Grid Client provides a pointer to its preferred !IdP up front.
A Grid Client can bind the providerId of its preferred !IdP to the request in a number of different ways:
- The pointer can be bound to the transport protocol:
a. in an extension of an SSL/TLS client certificate
a. as an HTTP header
a. as an HTTP parameter - The pointer can be bound to the protocol message:
a. as a WS-Addressing EPR in a SOAP message
a. via a WS-Security authentication token
i. in an extension of an X.509 token
i. in an element of a SAML token
In the case of a new grid user, option 1a is feasible since a certificate is issued on the fly. In the established grid user case, however, certificate extensions imply modifications to client software, so other options become more appealing.