Tom - is this really quickstart suitable? Things like "implementing a
prototype of the first half of this", "in the interim it may be
possible to", and "messy" makes it sound like I need to wait for a
number of people to finish cleaning it up before I make it the method
of choice.
Charles
On Jul 23, 2008, at 10:58 AM, Tom Scavo wrote:
On Wed, Jul 23, 2008 at 11:00 AM, Charles Bacon <[EMAIL PROTECTED]>
wrote:
On Jul 23, 2008, at 8:37 AM, Alan Sill wrote:
Personally, I wish the Globus team would de-emphasize its
inclusion of
SimpleCA and decouple it from the Globus documentation.
If you can recommend an alternative that would get new users up and
running
in a demo environment, I would love to hear about it.
Replace the SimpleCA with 1) a SAML identity provider (IdP) that
issues holder-of-key SAML assertions, and 2) a Security Token Service
(STS) that converts a holder-of-key SAML assertion into an X.509
credential.
A non-browser client presents a SAML request and an X.509 certificate
to the IdP. The latter is a self-signed certificate presented via
SSL/TLS client auth. The user behind the client authenticates to the
IdP with a username/password via HTTP basic auth or WS-Security
Username Token Profile. The IdP binds the key in the certificate to
the SAML assertion (i.e., holder-of-key) and signs the assertion.
The client presents the signed holder-of-key SAML assertion and the
X.509 certificate to the STS, again via SSL/TLS client auth. The STS
verifies the signature on the signed holder-of-key assertion and
confirms that the key bound to the assertion is the same key bound to
the certificate. It then issues an X.509 credential to the user.
Joana Trindade has implemented a prototype of the first half of this
pair of protocol exchanges. Another GSoC student was working on the
STS but I haven't heard about the status of that project. In the
interim, it may be possible to bind the holder-of-key SAML assertion
to a proxy certificate using GridShib SAML Tools. This requires
modification to GSI since the end-entity certificate is self-signed.
The trust is in the SAML assertion, not the proxy certificate chain.
Think of the proxy that contains the trusted SAML assertion as an
independent proxy. (Messy, I know, which is why the STS is
desirable.)
Tom
