The classic GridShib Attribute Pull Profile (called Classic !GridShib) is an initial attempt to provide interoperability between Globus Toolkit and Shibboleth. The next round of implementations will refine Classic !GridShib, decompose the profile (for reusability), and address attribute push in addition to attribute pull.
Why are we extending Classic !GridShib?
How are we extending Classic !GridShib?
Specific work items include the following:
NameQualifier
attribute.GridShibNameMapper
plugin to process the Issuer DN in the NameQualifier
attribute.NameMap
interface (and everything that depends on it) to map an ordered pair of the form (subjectDN, issuerDN)
to a local principal name.X509SubjectName
and the value of the NameIdentifier
is the Subject DN of the client certificate. The NameQualifier
attribute is the Issuer DN of the client certificate.AttributeStatement
, the attributes are parsed and the Shibboleth Attribute Requester PIP is bypassed. If, on the other hand, there is only an AuthenticationStatement
in the assertion, the Shibboleth Attribute Requester PIP is invoked. Note: The assertion MUST contain an AuthenticationStatement
and it MAY contain an AttributeStatement
.Future extensions to Classic !GridShib:
Example:
<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; AssertionID="_33776a319493ad607b7ab3e689482e45" IssueInstant="2006-05-11T16:21:24.575Z" Issuer="https://idp.example.org/shibboleth"; MajorVersion="1" MinorVersion="1"> <!-- NotBefore and NotOnOrAfter mirror the lifetime of the authn credential --> <Conditions NotBefore="2006-05-11T16:21:24.575Z" NotOnOrAfter="2006-05-12T00:21:24.575Z"/> <AuthenticationStatement AuthenticationInstant="2006-05-11T16:21:24.575Z" AuthenticationMethod="urn:ietf:rfc:2246"> <Subject> <NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" NameQualifier="C=US, O=NCSA-TEST, OU=GridShib, CN=GridShib-CA"> C=US, O=NCSA-TEST, OU=User, CN=trscavo@xxxxxxxx </NameIdentifier> <SubjectConfirmation> <ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:holder-of-key </ConfirmationMethod> <SubjectConfirmationData> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>...</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </SubjectConfirmationData> </SubjectConfirmation> </Subject> </AuthenticationStatement> <AttributeStatement> <Subject> <NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" NameQualifier="C=US, O=NCSA-TEST, OU=GridShib, CN=GridShib-CA"> C=US, O=NCSA-TEST, OU=User, CN=trscavo@uiuc.edu </NameIdentifier> <SubjectConfirmation> <ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:holder-of-key </ConfirmationMethod> <SubjectConfirmationData> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>...</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </SubjectConfirmationData> </SubjectConfirmation> </Subject> <Attribute AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri" AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"> <AttributeValue Scope="uiuc.edu">trscavo</AttributeValue> </Attribute> <Attribute AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri" AttributeName="urn:mace:dir:attribute-def:givenName"> <AttributeValue xsi:type="xsd:string">Tom</AttributeValue> </Attribute> <Attribute AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri" AttributeName="urn:mace:dir:attribute-def:sn"> <AttributeValue xsi:type="xsd:string">Scavo</AttributeValue> </Attribute> <Attribute AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri" AttributeName="urn:mace:dir:attribute-def:mail"> <AttributeValue xsi:type="xsd:string">trscavo@xxxxxxxxx</AttributeValue> </Attribute> </AttributeStatement> <ds:Signature>...</ds:Signature> </Assertion> |