Hi all,
When you say that Globus Toolkit can consume SAML1.x assertions, does it
also mean that the Globus-VOMS interceptors can extract and work with SAML
assertions?
Regards,
Kakoli
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]]on Behalf Of Tom Scavo
> Sent: Wednesday, February 04, 2009 3:36 AM
> To: Ralf Groeper
> Cc: glite-discuss (Open discussions for the gLite community);
> [email protected]
> Subject: Re: [gt-user] SAML based VOMS Server
>
>
> On Fri, Jan 30, 2009 at 7:21 AM, Ralf Groeper
> <[email protected]> wrote:
> >
> > Globus Toolkit can consume SAML1.x assertions (e.g. issued by
> GridShib SAML
> > Tools) using GridShib for GT .
> >
> > As far as I know there is no SAML2 support available at all.
> However, SAML
> > VOMS issues SAML2 assertions.
>
> Actually, it is worse than that. GridShib for GT will process
> self-issued SAML tokens with sender-vouches subject confirmation, such
> as those issued by a portal on behalf of a portal user. (This is the
> TeraGrid Science Gateway use case, which we fully support.) GridShib
> for GT does not currently support holder-of-key SAML tokens of any
> kind. (Well, that's not totally true since we support implicit
> holder-of-key SAML tokens bound to trusted end-entity certificates,
> such as those issued by the GridShib CA.)
>
> To support VOMS-SAML, GridShib for GT must be made to support explicit
> holder-of-key SAML tokens bound to proxy certificates. As I mentioned
> earlier, such SAML tokens MUST include a <ds:X509SubjectName> element.
> (Somebody else will have to comment whether or not VOMS-SAML supports
> this type of subject confirmation.)
>
> Tom
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
