On Tue, Sep 16, 2008 at 11:39 AM, David Chadwick <d.w.chadwick@kent.ac.uk> wrote:
Tom Scavo wrote:
If the user possesses a username/password only, how does one obtain a trusted proxy certificate (with bound SAML token)? I don't know the best answer to that question, so I'll leave it open for now.
The answer is, he does not need to, if the SAML tokens are signed by the trusted AA.
If you use Attribute Based Access Controls, then the identifier of the user (ie. the DN from the proxy cert) is irrelevant. All you need are the valid attributes of the user that can be used in the authz decision making. You have these from the signed SAML assertions, which state that the holder of key Z has the following attributes. The CVS will happily validate these SAML attribute assertions against its policy rules for who are trusted AAs (using the OGSA-Auth WSTrust profile). You can in fact include multiple SAML assertions from multiple IDPs in the X.509 proxy if you want to (and copy these into the WS-Trust message). The GT4 PEP knows that the user is the holder of the key that issued the proxy certificate, so the attributes belong to him. You can even use a self signed EE certificate if you want to, since it is possession of the private key that is important, not trust in the DN. And you can get the user to sign the request message to GT4 if signing of the certificate is not sufficient for you. So forget about having a trusted DN, its irrelevant in ABAC. (This is another good reason for moving on from gridmap files :-)
Here, here! :-) Thanks for letting me explain all that, David. Tom