On Wed, Feb 4, 2009 at 1:59 AM, Benjamin Henne <[email protected]> wrote: > >> What about the client side? Will the voms-proxy-init tool be extended >> to support this new server-side option? If so, can you provide a >> pointer? > > That is a good question. I never read about any extension of > voms-proxy-init. Maybe someone from INFN reads this list and can answer > that question.
Seems like something as simple as $ voms-proxy-init --saml ... would do the trick. Alternatively, one could use the gridshib-proxy-bind tool in GridShib SAML Tools. In fact, I implemented this tool with this use case in mind :-) Interestingly, the response you posted is, err, a response. The client is the requester, so the client should consume the response, leaving only the assertion. I'm not sure what's going on there... >> The reason I ask is because a VOMS-SAML token bound to a proxy >> certificate MUST contain a <ds:X509SubjectName> element in its >> <saml:SubjectConfirmation> element. Do we know if this is the case? > > Could you explain why in handful of words. Yes. As I understand the VOMS protocol, the user authenticates to the VOMS server with their end-entity certificate, so if you bind the EEC to the assertion using <ds:X509Certificate>, that works fine with WS-Security SAML Token Profile (presumably used in UNICORE) but if you subsequently bind the assertion to a proxy certificate and then present the proxy to a relying party, the RP can't meet the holder-of-key subject confirmation in the assertion because the presenter proves possession of the private key corresponding to the public key in the *proxy*, not the EEC. The solution is to bind the subject DN of the EEC to the assertion, not the EEC itself. Since the subject of the proxy and the EEC are the same entity by definition, proving possession of the private key corresponding to the public key in the proxy is sufficient to confirm the subject. > In the example assertions I created with the last standalone version of > SAML-VOMS there is none. You only get confirmation method holder-of-key > and the X509Certificate things, but no X509SubjectName element. Oops. > For > those who are interested in it, I append a SAML-VOMS response containing > some VO groups and roles as an example. Awesome! I'll comment on this SAML response later in the voms-dev and gridshib-dev mailing lists. Thanks, Tom
