Standards and Specifications

GridShib is based on X.509 and SAML standards:

• X.509
  • Internet X.509 Public Key Infrastructure: Certificate and Certificate Revocation List (CRL) Profile. IETF RFC 3280, April 2002.
  • Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile. IETF RFC 3820, June 2004.
  • Grid Security Infrastructure (GSI)
• SAML
  • Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1.1 (SAMLCore)
    • SAML Request-Response Protocol
      • how to formulate a SAML attribute query
      • how to validate a SAML Response
    • SAML Assertions
      • how to validate a SAML Assertion
  • Bindings and Profiles for the OASIS Security Assertion Markup Language (SAML) V1.1 (SAMLBind)
    • SOAP Binding for SAML
      • how to bind a SAML request-response message to a SOAP request-response message
  • Shibboleth Architecture: Protocols and Profiles (ShibProt)

Leveraged standards and specifications:

• X.509 SAML Subject Profile
  • a subprofile of SAML V1.1 Profiles for X.509 Subjects
  • how to formulate a SAML Subject having Format X509SubjectName
• SAML Assertion Profile for X.509 Subjects
  • a subprofile of SAML V1.1 Profiles for X.509 Subjects
  • specifies use of X.509 SAML Subject Profile
  • implemented by ShibbolethAuthenticationAuthorityTool
  • implemented by ShibbolethAttributeAuthorityTool
• SAML Attribute Query Profile for X.509 Subjects
  • a subprofile of SAML V1.1 Profiles for X.509 Subjects
  • specifies use of SAML Request-Response Protocol
  • specifies use of SOAP Binding for SAML
  • specifies use of SAML Assertion Profile for X.509 Subjects
  • implemented by ShibbolethAttributeQueryPIP
  • implemented by ShibbolethAttributeQueryTool
• SAML Attribute Self-Query Profile for X.509 Subjects
  • a subprofile of SAML V1.1 Profiles for X.509 Subjects
  • extends SAML Attribute Query Profile for X.509 Subjects
  • implemented by ShibbolethAttributeQueryTool
• X.509 Binding for SAML
  • how to bind a SAML assertion to an X.509 certificate
  • implemented by SAMLX509BindingTool
• X.509 Attribute-based Authorization Profile for SAML
  • specifies use of X.509 Binding for SAML
  • specifies use of SAML Assertion Profile for X.509 Subjects
  • implemented by SAMLX509AttributeBasedAuthzPIP
• X.509 Authorization Decision Profile for SAML
  • specifies use of X.509 Binding for SAML
  • specifies use of SAML Assertion Profile for X.509 Subjects
  • implemented by SAMLX509AuthzDecisionPIP

Other relevant standards and specifications:

• Metadata Profile for the OASIS Security Assertion Markup Language (SAML) V1.x
• Metadata Extension for SAML V2.0 and V1.x Query Requesters