On Fri, Jan 30, 2009 at 7:21 AM, Ralf Groeper <[email protected]> wrote: > > Globus Toolkit can consume SAML1.x assertions (e.g. issued by GridShib SAML > Tools) using GridShib for GT . > > As far as I know there is no SAML2 support available at all. However, SAML > VOMS issues SAML2 assertions.
Actually, it is worse than that. GridShib for GT will process self-issued SAML tokens with sender-vouches subject confirmation, such as those issued by a portal on behalf of a portal user. (This is the TeraGrid Science Gateway use case, which we fully support.) GridShib for GT does not currently support holder-of-key SAML tokens of any kind. (Well, that's not totally true since we support implicit holder-of-key SAML tokens bound to trusted end-entity certificates, such as those issued by the GridShib CA.) To support VOMS-SAML, GridShib for GT must be made to support explicit holder-of-key SAML tokens bound to proxy certificates. As I mentioned earlier, such SAML tokens MUST include a <ds:X509SubjectName> element. (Somebody else will have to comment whether or not VOMS-SAML supports this type of subject confirmation.) Tom
