Difference: SAMLEnabledVOMS (1 vs. 3)

Revision 32006-07-11 - ValerioVenturi

Line: 1 to 1

META TOPICPARENT	name="SAMLAuthorizationService"

Added:

>
>

<--
     * Set ALLOWTOPICCHANGE = VomsGroup
-->

a SAML enabled VOMS

Changed:

<
<

Translating attributes used in VOMS to SAML

>
>

Which binding to use?

[SAMLCore] defines assertion and request-response protocol messages. [SAMLBind] defines bindings of SAML protocol message to underlying communication and messaging protocols. [OGSAAuthzService] implicitly define another binding by specifying a WSDL with an operations that wrap the Request-Response protocol. We need to decide which binding to support and whether to define others.

Request/Response [< OGSA Authorization Service] < SOAP < {HTTP, HTTPS, HTTP over GSI}

Translating attributes used in VOMS to SAML

VOMS releases to users attributes regarding VO membership and role's ownership in form of an Attribute Certificate conforming to RFC3281 (http://www.ietf.org/rfc/rfc3281.txt

). Currently it release two kinds of attributes

Changed:

<
<

Fully Qualified Attribute Name encode the position of the holder inside the vo. A user may be a member of several groups in a vo and may or may not hold a role in the groups he's a member of. This attribute use the following ASN1 syntax
```
IetfAttrSyntax ::= SEQUENCE {
```

>
>

Fully Qualified Attribute Name

A FQAN encode the position of the holder inside the vo. A user may be a member of several groups in a vo and may or may not hold a role in the groups he's a member of. This attribute use the following ASN1 syntax

IetfAttrSyntax ::= SEQUENCE {

policyAuthorty [0] GeneralNames OPTIONAL, values SEQUENCE OF CHOICE { octets OCTET STRING,

Line: 29 to 41

Changed:

<
<

Generic attributes can be used to specify a attributes that don't map in the group/role paradigm. This attribute use the following ASN1 syntax

>
>

Tag List

Tag list are generic key-value pair can be used to specify attributes that don't map in the group/role paradigm. This attribute use the following ASN1 syntax

TagList ::= SEQUENCE {
policyAuthorty GeneralNames,
tags                    SEQUENCE OF Tag

Line: 48 to 61

Changed:

<
<

Are SAML assertions as good as Attribute Certificate?

>
>

SAML assertions vs. Attribute Certificate?

SAML assertions can allocate all the informations contained in Attribute Certificate. Here's a SAML assertion containing an Attribute statement, omitted attribute and signature informations

Line: 60 to 73

xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" AssertionID="_f88edc6a61c93bfed776c7290907697e"

Changed:

<
<

IssueInstant="2006-05-24T16:12:36Z" Issuer="/C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it"

>
>

IssueInstant="2006-05-24T16:12:36Z" Issuer="/C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it"

MajorVersion="1" MinorVersion="1"> NotBefore="2006-05-24T16:12:36Z" NotOnOrAfter="2006-05-25T04:12:36Z"/>

Changed:

<
<

/C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Valerio Venturi/emailAddress=valerio.venturi@cnaf.infn.it

>
>

/C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Valerio Venturi/

<Attribute ...

Line: 75 to 91

main concern is with the assertion's subject specification. Attribute Certificate used issuer (certification authority) and serial number of the user's X509 certificate, while saml assertion rely only on the subject of the X509 certificate, unless SubjectConfirmation element is used. Since there are concerns whether dn are good unique identifier, using SubjectConfirmation is suggested.

Added:

>
>

References

[SAMLCore] Assertion and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0, OASIS Standard, 15 March 2005, available at http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

[SAMLBind] Bindings fro the OASIS Security Assertion Markup Language (SAML) V2.0, OASIS Standard, 15 March 2005, available at http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf

[OGSAAuthzService] Welch, Siebenlist, Chadwick, Meder, Pearlman, Use of SAML for OGSA Authorization, September 2003, available at https://forge.gridforum.org/sf/docman/do/downloadDocument/projects.ogsa-authz/docman.root.authz_service/doc9006

Revision 22006-07-10 - ValerioVenturi

Line: 1 to 1

META TOPICPARENT	name="SAMLAuthorizationService"

a SAML enabled VOMS

Line: 75 to 75

Deleted:

<
<

-- ValerioVenturi - 10 Jul 2006

\ No newline at end of file

Revision 12006-07-10 - ValerioVenturi

Line: 1 to 1

Added:

>
>

META TOPICPARENT	name="SAMLAuthorizationService"

a SAML enabled VOMS

Translating attributes used in VOMS to SAML

VOMS releases to users attributes regarding VO membership and role's ownership in form of an Attribute Certificate conforming to RFC3281 (http://www.ietf.org/rfc/rfc3281.txt). Currently it release two kinds of attributes

Fully Qualified Attribute Name encode the position of the holder inside the vo. A user may be a member of several groups in a vo and may or may not hold a role in the groups he's a member of. This attribute use the following ASN1 syntax
```
IetfAttrSyntax ::= SEQUENCE {
policyAuthorty [0] GeneralNames OPTIONAL,
values                 SEQUENCE OF CHOICE {
  octets OCTET STRING,
  oid       OBJECT IDENTIFIER,
  string  UTF*String
}
}
```
where policyAuthority contains an encoding of bth the VO which the AC issuer serves and the host which generated the attribute in the form of a URI voname:fqhn:port. This would translate pretty good using SAML 2.0 with

<Attribute xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
           AttributeName="/vo/group/Role=role" AttributeNamespace="vo:host:port">
    </Attribute>

where the AttributeValue element of the Attribute element is optional. In 1.1 it is not thus forcing us to use

<Attribute xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
           AttributeName="/vo/group/Role=role" AttributeNamespace="vo:host:port">
    </AttributeValue>
</Attribute>

Generic attributes can be used to specify a attributes that don't map in the group/role paradigm. This attribute use the following ASN1 syntax

TagList ::= SEQUENCE {
policyAuthorty GeneralNames,
tags                    SEQUENCE OF Tag 
}
Tag ::= SEQUENCE {
  name       OCTET STRING
  value       OCTET STRING
  qualifier OCTET STRING
}

that translates using SAML in

<Attribute xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
           AttributeName="attributeName" AttributeNamespace="vo:host:port">
    <AttributeValue>attributeValue</AttributeValue>
</Attribute>

Are SAML assertions as good as Attribute Certificate?

SAML assertions can allocate all the informations contained in Attribute Certificate. Here's a SAML assertion containing an Attribute statement, omitted attribute and signature informations

<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
           xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
           xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
           xmlns:xsd="http://www.w3.org/2001/XMLSchema"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           AssertionID="_f88edc6a61c93bfed776c7290907697e"
           IssueInstant="2006-05-24T16:12:36Z" Issuer="/C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it"
           MajorVersion="1" MinorVersion="1">
  <Conditions NotBefore="2006-05-24T16:12:36Z" NotOnOrAfter="2006-05-25T04:12:36Z"/>
  <AttributeStatement>
    <Subject>
      <NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">/C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Valerio Venturi/emailAddress=valerio.venturi@cnaf.infn.it</NameIdentifier>
    </Subject>
    <Attribute ...
  </AttributeStatement>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" ..........
</Assertion>

-- ValerioVenturi - 10 Jul 2006

View topic | History: r3 < r2 < r1 | More topic actions...