GridShib Beta Attribute Exchange Profile

Preconditions

Protocol Flow

Overview

This GridShib profile consists of four (4) steps:

  1. The Grid Client requests a service at the Grid SP.
  2. The Grid SP authenticates the Client and queries the Attribute Authority (AA) at the !IdP.
  3. The AA returns an attribute assertion to the Grid SP.
  4. The Grid SP parses the attribute assertion, performs the requested service, and returns a response to the Grid Client.

<img src="http://gridshib.globus.org/images/profiles/gridshib-beta-attribute-pull_files/image001.gif" alt="GridShib Attribute Pull Profile" />

Description

Step 1 is the beginning of a normal grid request/response cycle. At step 1, the Grid Client presents an ordinary X.509 proxy certificate to the Grid SP. (See the Issues section, however.)

The Grid SP authenticates the Client and queries the AA at the !IdP at step 2. The Subject of the query is the DN from the proxy. For example, the Grid SP might POST a SAML SOAP request similar to the following:

POST /shibboleth/AA HTTP/1.1
Host: gridshib.uchicago.edu
Content-Type: text/xml
Content-Length: nnn
SOAPAction: http://www.oasis-open.org/committees/security

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope
  xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
  <SOAP-ENV:Header/>
  <SOAP-ENV:Body>
	 <samlp:Request
		xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
		xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
		MajorVersion="1" MinorVersion="1"
		IssueInstant="2004-12-05T09:22:04Z" 
		RequestID="aaf23196-1773-2113-474a-fe114412ab72">
		<samlp:AttributeQuery 
		  Resource="https://globus.org/gridshib">  <!-- Grid SP providerId -->
		  <saml:Subject>
			 <saml:NameIdentifier
				Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
				NameQualifier="https://idp.uchicago.edu/shibboleth">  <!-- IdP providerId -->
				<!-- insert X.509 Subject DN here -->
			 </saml:NameIdentifier>
		  </saml:Subject>
		  <!-- the requested attributes are for illustration only -->
		  <saml:AttributeDesignator 
			 AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation"
			 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
		  <saml:AttributeDesignator 
			 AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
			 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
		</samlp:AttributeQuery>
	 </samlp:Request>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

At step 3, the AA authenticates the requester, maps the DN to a local principal name, formulates an attribute assertion, and returns the assertion to the Grid SP:

HTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: nnnn

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope
  xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
  <SOAP-ENV:Header/>
  <SOAP-ENV:Body>
	 <samlp:Response
		xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
		InResponseTo="aaf23196-1773-2113-474a-fe114412ab72"
		IssueInstant="2004-12-05T09:22:05Z" 
		MajorVersion="1" MinorVersion="1"
		ResponseID="b07b804c-7c29-ea16-7300-4f3d6f7928ac">
		<samlp:Status>
		  <samlp:StatusCode Value="samlp:Success"/>
		</samlp:Status>
		<saml:Assertion 
		  xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
		  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
		  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
		  MajorVersion="1" MinorVersion="1"
		  AssertionID="a144e8f3-adad-594a-9649-924517abe933"
		  IssueInstant="2004-12-05T09:22:05Z" 
		  Issuer="https://idp.uchicago.edu/shibboleth">  <!-- IdP providerId -->
		  <saml:Conditions 
			 NotBefore="2004-12-05T09:17:05Z"
			 NotOnOrAfter="2004-12-05T09:52:05Z">
			 <saml:AudienceRestrictionCondition>
				<!-- Grid Service providerId -->
				<saml:Audience>https://globus.org/gridshib</saml:Audience>
			 </saml:AudienceRestrictionCondition>
		  </saml:Conditions>
		  <saml:AttributeStatement>
			 <saml:Subject>
				<saml:NameIdentifier
				  Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
				  NameQualifier="https://idp.uchicago.edu/shibboleth">  <!-- IdP providerId -->
				  <!-- insert X.509 Subject DN here -->
				</saml:NameIdentifier>
			 </saml:Subject>
			 <saml:Attribute 
				AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation"
				AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
				<saml:AttributeValue>
				  member
				</saml:AttributeValue>
			 </saml:Attribute>
			 <saml:Attribute 
				AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
				AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
				<saml:AttributeValue Scope="uchicago.edu">
				  gridshib
				</saml:AttributeValue>
			 </saml:Attribute>
		  </saml:AttributeStatement>
		</saml:Assertion>
	 </samlp:Response>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Finally, at step 4, the Grid SP parses the attribute assertion, caches the attributes, makes an access control decision, and returns a response to the Grid Client.

Both the !IdP and the Grid SP rely on SAML 2.0 metadata. GridShib for Shibboleth supports a framework for consuming Grid SP metadata whereby the metadata file includes an EntityDescriptor element for each Grid SP that the !IdP trusts. SAML 2.0 does not define a role for Grid SPs, however, so an extended role of type AttributeRequesterDescriptorType has been specified for use with this profile. The defined role of each such entity is basically that of a standalone attribute requester.

Illustrative metadata examples from Globus CVS:

Requirements

The following requirements must be satisfied:

Attribute Query

Attribute Response

!IdP Metadata

Grid SP Metadata

Security and Privacy Considerations

<span style="background-color: red; color: white;">

TBD

</span>

Issues