By definition, a SAML SP is a participant in a browser profile. A SAML SP (such as the Shib SP) consumes two types of SAML responses:
In the presence of attribute push, however, there is no attribute response since attributes are bundled with the authentication response. In either case, attributes are resolved based on a previous act of authentication at the IdP.
In contrast, a Grid SP does not participate in a browser profile, so a Grid SP is unlike a Shib SP. A Grid SP consumes SAML as follows:
In the case of standalone attribute query, the Grid SP may be the principal (wielding an Attribute Query Client) or more likely the Grid SP is an entity acting on behalf of the principal (such as GridShibForGlobusToolkit).
In the other case, the Grid SP consumes pushed SAML assertions bound to X.509 certificates or SOAP messages. Like a pulled SAML response, the pushed assertions are used exclusively for access control (not authentication). However, a pushed assertion may include an AuthenticationStatement
that describes a previous act of authentication, such as authentication to an online CA (like the GridShibCertificateAuthority) or a gateway (like a TeraGrid ScienceGateway).
Here's one possible algorithm for GSI attribute-based authorization at the Grid SP:
Here's more detail for steps 5, 6, and 7.
If there is an SIA extension, iterate over all values until a trusted IdP entityID is found. If there is a Subject Alt Name extension, iterate over all values until a SAML Subject is found. If both are found, pull attributes from the trusted IdP in the SIA extension based on the SAML Subject in the Subject Alt Extension.
If there are bound SAML assertions, iterate over all assertions until a trusted Issuer
is found as follows:
while (more assertions and not found) { if (self-issued assertion) { if (contains nested assertion) { if (trusted Issuer) { found = true; } } } else { if (trusted Issuer) { found = true; } } } |
If a trusted issuer is found, pull attributes based on the Subject in a bound SAML assertion.
If a trusted IdP was found at step 5, or a trusted IdP is otherwise configured at the Grid SP, pull attributes based on the Subject DN in the certificate.