AAA Testbed: Attributes provided to RP from Science Gateway

From TeraGrid Wiki

Jump to: navigation, search

1 Status of this Page
2 Community Credential Model
- 2.1 Process at the Science Gateway
- 2.2 RP Authorization Process
3 Details
- 3.1 Example SAML Assertion from Science Gateway to RP Resource
- 3.2 Example RP Authorization Policy

[edit]

Status of this Page

The AAA Testbed has completed and this document is historical.

A list of all documents related to the AAA Testbed can be found at Category:AAATestbed.

The use case described on this page is being worked on and details can be found at Science Gateway User Attributes.

[edit]

Community Credential Model

This model assumes the user is using a traditional username and password (or equivalent form of authentication) to the portal, and then the science gateway is using a community credential to authenticate to a RP resource, where the user's request is run in a community account.

The user is presumed to have previously registered with the science gateway and already have a username and password.

[edit]

Process at the Science Gateway

User authenticates to science gateway use username and password

Science Gateway uses the GridShib SAML Tools to create a new proxy credential for the user containing the following attributes:
- The username of the user, scoped to the science gateway name
- The IP address of the user
- The identity of the science gateway (expressed as a URI - e.g. the URL of the science gateway)
- An attribute containing community membership for the user

The proxy certificate is signed by the community credential. The attributes are contained within the certificate and hence protected by that same signature. The community credential is in effect an attribute authority.

The proxy credential is then used to authenticate the user's request to the RP resource and make their request.

[edit]

RP Authorization Process

The RP Resource authenticates the request from the Science Gateway. In this process signatures and time validity are verified.

The following policy checks may be made on the attributes in the proxy credential:
- The user name is checked against a list of unauthorized users.
- The country code of the user is checked against a list of unauthorized users
- The IP address of the user is checked against a list of unauthorized IP addresses (individual addresses as well as address blocks)

The attributes are logged.

Assuming, all attribute-based authorization check pass, the DN from the credential is verified to be in the grid-mapfile and the community account is determined.

[edit]

Details

[edit]

Example SAML Assertion from Science Gateway to RP Resource

The following shows an assertion from a fictitious www.exampe.org science gateway, having authenticated user vwelch from IP address 10.0.0.1

The portal believes, based on the IP address, that the user is located in the US ( OID 2.5.4.6)

The portal asserts the user is a member of www.example.org (OID 1.3.6.1.4.1.5923.1.5.1.1)

It was create via the command:

gridshib-saml-issuer --authn --authnInstant "`date`" --address 10.0.0.1 --user vwelch@www.example.org

<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
    xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    AssertionID="_cd4bfe11e86f2e00c4479bf1bf92df0a"
    IssueInstant="2007-02-27T21:04:18.951Z" Issuer="CN=gridshib.example.org,
    O=example.org, C=us" MajorVersion="1" MinorVersion="1">
 <AuthenticationStatement
      AuthenticationInstant="2007-02-27T21:04:14.665Z"
      AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">
  <Subject>
   <NameIdentifier
       Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
    vwelch@www.example.org
   </NameIdentifier>
  </Subject>
  <SubjectLocality IPAddress="10.0.0.1"></SubjectLocality>
 </AuthenticationStatement>
 <AttributeStatement>
  <Subject>
   <NameIdentifier
       Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
    vwelch@www.example.org
   </NameIdentifier>
  </Subject>
  <Attribute AttributeName="urn:oid:2.5.4.6"
      AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
   <AttributeValue xsi:type="xsd:string">
    US
   </AttributeValue>
  </Attribute>
  <Attribute AttributeName="urn:oid:1.3.6.1.4.1.5923.1.5.1.1"
      AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
   <AttributeValue xsi:type="xsd:string">
    http://www.example.org
   </AttributeValue>
  </Attribute>
 </AttributeStatement>
</Assertion>

[edit]