SAML NameIDs for TeraGrid
From TeraGrid Wiki
Contents |
TeraGrid Entity Name Identifiers
URI: http://teragrid.org/names/nameid-format/entity
Indicates that the content of a SAML element or attribute is the identifier of a TeraGrid entity that provides SAML-based services (such as a SAML authority, requester, or responder) or is a participant in a SAML profile (such as a SAML service provider supporting the web browser SSO profile). Such an identifier, called an entityID, is typically used as the value of the SAML V1.1 Issuer XML attribute or the SAML V2.0 <saml2:Issuer> element to identify the issuer of a SAML request, response, or assertion. An entityID may also be used in other SAML elements and attributes whose purpose is to identify a system entity in various protocol exchanges.
Less often, an entityID is used as the value of the SAML Format XML attribute on the SAML V1.1 <saml:NameIdentifier> element or the SAML V2.0 <saml2:NameID> element to make assertions about system entities. If the Format attribute on an instance of the <saml:NameIdentifier> element or the <saml2:NameID> element is set to "http://teragrid.org/names/nameid-format/entity", the element's NameQualifier XML attribute MUST be omitted.
Generally, the syntax of an entityID is a URI of not more than 1024 characters in length. Within the TeraGrid, an entityID MUST be a URL.
Use Case
A TeraGrid Science Gateway is by definition a SAML issuer. By convention, a Science Gateway is identified by an entityID of the form
https://saml.teragrid.org/gateway/community_account
where community_account is a distinguished community account name associated with the Science Gateway.
Examples
<!-- a SAML V1.1 assertion issued by the Bioportal Science Gateway --> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_2beccd2815ee17e0ef4432a83b070599" IssueInstant="2008-02-25T15:39:29.141Z" Issuer="https://saml.teragrid.org/gateway/bioport" MajorVersion="1" MinorVersion="1"> <!-- assertion content here --> </saml:Assertion>
<!-- a SAML V2.0 assertion issued by the Bioportal Science Gateway -->
<saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_2beccd2815ee17e0ef4432a83b070599"
IssueInstant="2008-02-25T15:39:29.141Z"
Version="2.0">
<saml2:Issuer
Format="http://teragrid.org/names/nameid-format/entity">
https://saml.teragrid.org/gateway/bioport
</saml2:Issuer>
<!-- assertion content here -->
</saml2:Assertion>
TeraGrid Subject Name Identifiers
General Requirements
All TeraGrid subject name identifiers are persistent, non-reassignable identifiers. Although the lifetime of a persistent identifier spans multiple sessions (by definition), the issuer MAY discontinue use of the identifier at its discretion. In that case, the identifier MUST NOT be reassigned to a different principal at any time in the future.
The NameQualifier Attribute
If the Format attribute on an instance of the SAML V1.1 <saml:NameIdentifier> element or the SAML V2.0 <saml2:NameID> element is set to "http://teragrid.org/names/nameid-format/principalname", the element's NameQualifier XML attribute MUST be omitted.
TeraGrid Principal Name Format
URI: http://teragrid.org/names/nameid-format/principalname
Indicates that the content of a SAML element is a scoped principal name. A TeraGrid principal name identifier is a persistent, non-reassignable identifier. The syntax of a valid principal name is identical to the eduPersonPrincipalName, that is, the identifier is of the form user@scope where the scope part is chosen in such a way that the identifier is guaranteed to be globally unique.
Typically the user part of a TeraGrid principal name identifier is the actual username by which the principal is known at the SAML issuer. However, the user part MAY be an opaque pseudonym for the principal. In that case, the user part MUST be constructed using a pseudo-random value that has no discernible correspondence with the subject's actual identifier. The intent is to create a non-public pseudonym used within the TeraGrid to prevent the discovery of the subject's true identity.
Persistent pseudonyms are intended as a privacy protection mechanism; as such they MUST NOT be shared in clear text with non-TeraGrid providers. Furthermore, they MUST NOT appear in log files or similar locations without appropriate controls and protections.
Use Case
A TeraGrid Science Gateway issues assertions containing principal name identifiers for its users. Typically, the user part of a principal name identifier asserted by a Science Gateway is the portal login of the user. By convention, the scope part of a TeraGrid principal name identifier takes on the form
user@community_account.teragrid.org
where community_account is a distinguished community account name associated with the Science Gateway.
Examples
<!-- a transparent SAML V1.1 principal name identifier
asserted by the GISolve Science Gateway -->
<saml:NameIdentifier
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
Format="http://teragrid.org/names/nameid-format/principalname">
trscavo@gisolve.teragrid.org
</saml:NameIdentifier>
<!-- an equivalent SAML V2.0 principal name identifier --> <saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="http://teragrid.org/names/nameid-format/principalname"> trscavo@gisolve.teragrid.org </saml2:NameID>
<!-- an opaque, pseudonymous SAML V1.1 principal name identifier
asserted by the nanoHUB Science Gateway -->
<saml:NameIdentifier
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
Format="http://teragrid.org/names/nameid-format/principalname">
7a55e286@nanohub.teragrid.org
</saml:NameIdentifier>
<!-- an equivalent SAML V2.0 principal name identifier --> <saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="http://teragrid.org/names/nameid-format/principalname"> 7a55e286@nanohub.teragrid.org </saml2:NameID>
References
[SAMLCore] E. Maler et al. Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V1.1. OASIS Standard, September 2003. See http://www.oasis-open.org/committees/download.php/3406/oasis-sstc-saml-core-1.1.pdf
[SAML2Core] S. Cantor et al. Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, March 2005. See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
