[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: motivation for the HoK Assertion Request Profiles
The Virtual Organization Membership Service (VOMS) [1] is the most successful attribute-based authorization framework in the Grid. A traditional VOMS credential is an X.509 attribute certificate [2] bound to an X.509 proxy certificate [3]. Recently, however, VOMS has added a SAML interface [4] to its server implementation. Meanwhile, the OGSA Authorization Working Group [5], under the auspices of the Open Grid Forum [6], is profiling the authorization decision function of a Grid service provider. There are four documents [7] under consideration within the Authz WG: 1. Functional Components of Grid Service Provider Authorisation Service Middleware (pub 6 April 08) 2. Use of WS-TRUST and SAML to access a Credential Validation Service (pub 9 July 08) 3. Use of XACML Request Context to Obtain an Authorisation Decision (pub 31 Mar 08) 4. Use of SAML to retrieve Authorization Credentials (pub 7 April 2008) The latter specification (aka the "OGSA attribute exchange") profiles a SAML attribute exchange as implemented by the new VOMS SAML interface. The original OGSA attribute exchange profile is based on the SAML V2.0 Deployment Profiles for X.509 Subjects [8], which profiles the case where the requester acts on behalf of the subject and also the case where the requester is the subject (self-query). When Nate Klingenstein published the SAML V2.0 Holder-of-Key Web Browser SSO Profile [9], it became clear that the self-query use case in the Deployment Profiles for X.509 Subjects was unnecessarily restrictive. Indeed, there are many more SAML deployments based on username/password credentials than there are deployments based on X.509-based PKI, so the OGSA attribute exchange profile (which has already undergone public review) needs to be totally rewritten so that it can leverage the existing installed base of SAML IdPs. The SAML V2.0 Holder-of-Key Assertion Request Profiles [10] form the basis of the new OGSA attribute exchange profile. In particular, the SAML V2.0 Holder-of-Key Self-Request Profile (section 2 of [10]) describes in general terms how a subject self-issues a SAML request to obtain a holder-of-key assertion. As with the HoK Web Browser SSO Profile, the subject authenticates to the IdP in whatever way is most convenient. For example, the subject can use an existing username/password credential to authenticate to the IdP via HTTP Basic Authentication, WS-Security Username Token Profile, or perhaps even OAuth. Tom Scavo NCSA [1] http://www.globus.org/grid_software/security/voms.php [2] http://www.ietf.org/rfc/rfc3281.txt [3] http://www.ietf.org/rfc/rfc3820.txt [4] http://repository.omii-europe.org/downloads/project.jsp?projectid=7 [5] http://forge.gridforum.org/projects/ogsa-authz [6] http://www.ogf.org/ [7] http://forge.gridforum.org/sf/docman/do/listDocuments/projects.ogsa-authz/docman.root.authz_service?_sortby=documentList(dateLastModified)&_sorder=documentList(desc) [8] http://wiki.oasis-open.org/security/SstcSaml2X509ProfilesDeploy [9] http://wiki.oasis-open.org/security/SamlHoKWebSSOProfile [10] http://wiki.oasis-open.org/security/SAMLHoKAssertionRequest
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]