On Wed, Jul 23, 2008 at 11:58 AM, Tom Scavo <[EMAIL PROTECTED]> wrote: > On Wed, Jul 23, 2008 at 11:00 AM, Charles Bacon <[EMAIL PROTECTED]> wrote: >> >> If you can recommend an alternative that would get new users up and running >> in a demo environment, I would love to hear about it. > > Replace the SimpleCA with 1) a SAML identity provider (IdP) that > issues holder-of-key SAML assertions, and 2) a Security Token Service > (STS) that converts a holder-of-key SAML assertion into an X.509 > credential. > > A non-browser client presents a SAML request and an X.509 certificate > to the IdP. The latter is a self-signed certificate presented via > SSL/TLS client auth. The user behind the client authenticates to the > IdP with a username/password via HTTP basic auth or WS-Security > Username Token Profile. The IdP binds the key in the certificate to > the SAML assertion (i.e., holder-of-key) and signs the assertion.
Let me take this just a little bit further and see if we can straighten out the mess :-) Let's *not* use a self-signed certificate since that breaks GSI. Instead assume that the end-entity certificate is "meaningless," that is, signed by the "meaningless CA." (See this spec for definitions of these terms: http://www.connotech.com/pkc-only-meaningless-certs.pdf Basically, the private key and DN of the meaningless CA are well-known quantities.) An end-entity certificate signed by the meaningless CA is no better than a self-signed certificate, but at least it doesn't break GSI. Now put the meaningless CA certificate in the Globus trusted certificates directory and make this relatively minor change (I think) to the GSI authentication handler: If the presented proxy certificate chain is rooted in the meaningless CA, set the Globus identity to "anonymous." In the gridmap (if used), the anonymous user might map to "guest," or maybe policy dictates that anonymous users don't have access, period. That's okay, as long as a proxy rooted in the meaningless CA is validated in the same way that a proxy rooted in a trusted CA is validated. What this does is open the door to the previous use case (details omitted). Now I can write a PIP that traverses the proxy certificate chain looking for a trusted holder-of-key SAML assertion. If one is found, the PIP populates a distinguished "SAML identity" and passes control to a PDP that inspects the security contexts of the Globus identity and the SAML identity in sequence. Does this make sense? If you provide support for the meaningless CA (or something like it), I'll do the rest :-) Tom
