[gridshib-user] SAML Holder-of-Key Authentication in GridShib (Google Summer of Code @ Globus)
wz qiang
weizhongqiang at gmail.com
Tue Sep 2 11:22:58 CDT 2008
Hello,
It is a very interesting work. I have a question about it.
"The client presents a meaningless X.509 certificate to the IdP via SSL/TLS
client authentication. This proves possession of the corresponding private
key." So the certificate is actually the user's certificate? and why it is
"meaningless" here?
and the goal of this work is "convert a campus credential (usually a
username/password) into a SAML credential", but if the user uses his
certificate to authenticate with IdP, then it is certificate based
authentication, not username/password based. And if the username/password
authentication is used, then there should be some mechanism for IdP to
retrieve the key (public key relevant to the user's certificate) from some
trusted certificate server (which means the users should possesses
username/password and relevant X509 credential as well, only possessing
username/password is not enough). Am I right?
Cheers,
Weizhong
On Tue, Sep 2, 2008 at 2:04 AM, Tom Scavo <trscavo at gmail.com> wrote:
> On Tue, Aug 19, 2008 at 6:31 PM, Joana M. F. Trindade
> <jmftrindade at gmail.com> wrote:
> > Today the GridShib project is pleased to announce the first release
> > of the project "SAML Holder-of-Key Authentication for HTTP Single
> > Sign-On in GridShib", implemented as part of the Google Summer
> > of Code 2008 Program. See the project wiki for links to the distribution
> > files and accompanying documentation:
> >
> > http://dev.globus.org/wiki/GSoC08/SAML_Holder_of_Key_Authn_for_HTTP_SSO
> >
> > The ultimate goal in this project is to convert a campus credential
> (e.g., a
> > username/password) into a grid credential. An intermediate step along
> > the way to this goal is to convert a campus credential into a signed,
> > holder-of-key SAML assertion.
>
> To followup on this, we've outlined an implementation plan in the wiki:
>
> http://dev.globus.org/wiki/SAMLHoKAssertionRequest
>
> We hope to work on this in our spare time ;-) Seriously, though, we
> wanted to document a probable implementation path in any event.
>
> Tom
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.globus.org/pipermail/gridshib-user/attachments/20080902/4f703b91/attachment.htm>
More information about the gridshib-user
mailing list