Re: [gt-user] SAML based VOMS Server

Benjamin Henne Wed, 04 Feb 2009 00:05:35 -0800

Hi Tom.

>> To get SAML assertions containing the VOMS information you extent your
>> existing VOMS installation by adding the VOMS SAML service. Originally
>> the service was standalone, but it will be integrated with VOMS-Admin.
>> VOMS-Admin is going to be the container for all the WS effort around
>> VOMS. Version 2.0.17 shall be the first release containing the VOMS SAML
>> endpoint. It was originally scheduled for this month, but seems not to
>> be released yet. Maybe you can get it from CVS.
> 
> What about the client side?  Will the voms-proxy-init tool be extended
> to support this new server-side option?  If so, can you provide a
> pointer?


That is a good question. I never read about any extension of
voms-proxy-init. Maybe someone from INFN reads this list and can answer
that question.


> The reason I ask is because a VOMS-SAML token bound to a proxy
> certificate MUST contain a <ds:X509SubjectName> element in its
> <saml:SubjectConfirmation> element.  Do we know if this is the case?

Could you explain why in handful of words.
In the example assertions I created with the last standalone version of
SAML-VOMS there is none. You only get confirmation method holder-of-key
and the X509Certificate things, but no X509SubjectName element. For
those who are interested in it, I append a SAML-VOMS response containing
some VO groups and roles as an example.

Regards,
Benjamin

<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" 
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
ID="_d01d46b7-d16a-4ae8-b9bb-beb8844838b6" 
InResponseTo="_qwertyuiopasdfghjklzxcvbn" 
IssueInstant="2008-10-16T19:03:57.922Z" Version="2.0">
  <saml:Issuer 
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">CN=voms3.gridlab.uni-hannover.de,OU=UniHannover,O=GermanGrid,C=DE</saml:Issuer>
  <Status>
    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </Status>
  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
ID="_81b685e5-4650-4ba9-b1c6-0ed957cc33ac" 
IssueInstant="2008-10-16T19:03:57.920Z" Version="2.0">
    
<saml:Issuer>CN=voms3.gridlab.uni-hannover.de,OU=UniHannover,O=GermanGrid,C=DE</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_81b685e5-4650-4ba9-b1c6-0ed957cc33ac">
<ds:Transforms>
<ds:Transform 
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";><ec:InclusiveNamespaces 
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="ds saml 
xs"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>j55K/cn8GQNuTQ52Kr3r0NGRJ0w=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
...
</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>...</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
    <saml:Subject>
      <saml:NameID 
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=Benjamin 
Henne,OU=UniHannover,O=GermanGrid,C=DE</saml:NameID>
      <saml:SubjectConfirmation 
Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
        <saml:SubjectConfirmationData>
          <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
            <ds:X509Data>
              <ds:X509Certificate>...</ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
        </saml:SubjectConfirmationData>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2008-10-16T19:03:57.920Z" 
NotOnOrAfter="2008-10-17T06:03:57.920Z"/>
    <saml:AttributeStatement>
      <saml:Attribute Name="http://voms.forge.cnaf.infn.it/roles"; 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; 
xsi:type="xs:string">VO-Admin@/RVS</saml:AttributeValue>
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; 
xsi:type="xs:string">resass@/RVS/education</saml:AttributeValue>
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; 
xsi:type="xs:string">staff@/RVS/research/SAML</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="nationality" 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; 
xsi:type="xs:string">German</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="http://voms.forge.cnaf.infn.it/group"; 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; 
xsi:type="xs:string">/RVS/education</saml:AttributeValue>
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; 
xsi:type="xs:string">/RVS</saml:AttributeValue>
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; 
xsi:type="xs:string">/RVS/research</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</Response>

smime.p7s
Description: S/MIME Cryptographic Signature

Re: [gt-user] SAML based VOMS Server

Reply via email to