OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: motivation for the HoK Assertion Request Profiles

The Virtual Organization Membership Service (VOMS) [1] is the most
successful attribute-based authorization framework in the Grid.  A
traditional VOMS credential is an X.509 attribute certificate [2]
bound to an X.509 proxy certificate [3].  Recently, however, VOMS has
added a SAML interface [4] to its server implementation.

Meanwhile, the OGSA Authorization Working Group [5], under the
auspices of the Open Grid Forum [6], is profiling the authorization
decision function of a Grid service provider.  There are four
documents [7] under consideration within the Authz WG:

1. Functional Components of Grid Service Provider Authorisation
Service Middleware (pub 6 April 08)
2. Use of WS-TRUST and SAML to access a Credential Validation Service
(pub 9 July 08)
3. Use of XACML Request Context to Obtain an Authorisation Decision
(pub 31 Mar 08)
4. Use of SAML to retrieve Authorization Credentials (pub 7 April 2008)

The latter specification (aka the "OGSA attribute exchange") profiles
a SAML attribute exchange as implemented by the new VOMS SAML
interface.  The original OGSA attribute exchange profile is based on
the SAML V2.0 Deployment Profiles for X.509 Subjects [8], which
profiles the case where the requester acts on behalf of the subject
and also the case where the requester is the subject (self-query).

When Nate Klingenstein published the SAML V2.0 Holder-of-Key Web
Browser SSO Profile [9], it became clear that the self-query use case
in the Deployment Profiles for X.509 Subjects was unnecessarily
restrictive.  Indeed, there are many more SAML deployments based on
username/password credentials than there are deployments based on
X.509-based PKI, so the OGSA attribute exchange profile (which has
already undergone public review) needs to be totally rewritten so that
it can leverage the existing installed base of SAML IdPs.

The SAML V2.0 Holder-of-Key Assertion Request Profiles [10] form the
basis of the new OGSA attribute exchange profile.  In particular, the
SAML V2.0 Holder-of-Key Self-Request Profile (section 2 of [10])
describes in general terms how a subject self-issues a SAML request to
obtain a holder-of-key assertion.  As with the HoK Web Browser SSO
Profile, the subject authenticates to the IdP in whatever way is most
convenient.  For example, the subject can use an existing
username/password credential to authenticate to the IdP via HTTP Basic
Authentication, WS-Security Username Token Profile, or perhaps even

Tom Scavo

[1] http://www.globus.org/grid_software/security/voms.php
[2] http://www.ietf.org/rfc/rfc3281.txt
[3] http://www.ietf.org/rfc/rfc3820.txt
[4] http://repository.omii-europe.org/downloads/project.jsp?projectid=7
[5] http://forge.gridforum.org/projects/ogsa-authz
[6] http://www.ogf.org/
[7] http://forge.gridforum.org/sf/docman/do/listDocuments/projects.ogsa-authz/docman.root.authz_service?_sortby=documentList(dateLastModified)&_sorder=documentList(desc)
[8] http://wiki.oasis-open.org/security/SstcSaml2X509ProfilesDeploy
[9] http://wiki.oasis-open.org/security/SamlHoKWebSSOProfile
[10] http://wiki.oasis-open.org/security/SAMLHoKAssertionRequest

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]