Use Cases for an X.509 Binding for SAML
An X.509 Binding for SAML is being developed. The following use cases leverage such a binding. In each case, a skeleton of a SAML assertion bundle is given. The SAML assertion bundle is bound to an X.509 certificate, either an end-entity certificate (EEC) or proxy certificate, depending on the use case.
There are two general classes of use cases:
- The presenter is the subject
- The presenter is an entity (such as a portal or gateway) acting on behalf of the subject
If the Subject of the assertion is the Subject of the certificate, the presenter is the subject. Otherwise the presenter is acting on behalf of the subject.
- The Presenter is the Subject
- The Presenter is Acting on Behalf of the Subject
If you remove the assertion from the certificate, that is, remove the X.509 context, the assertion may lose some of its meaning. In particular, it may not be possible to determine if the presenter is the subject solely by inspecting the assertion. Thus an assertion bound to an X.509 certificate should be re-bound to SOAP (for instance) with care. Indeed, the goal is to capture all of the semantics in the assertion itself, so that the binding becomes irrelevant.
The Presenter is the Subject
$ Principal Self-assertion: A principal issues an attribute assertion with self-asserted attributes. Using the GridShib SAMLAssertionTools, the principal binds the assertion to a proxy certificate and uses this certificate to authenticate to a Grid SP.
<!-- self-assertion --> <saml:Assertion ...> <saml:Conditions ...>...</saml:Conditions> <!-- self-asserted attributes --> <saml:AttributeStatement> <!-- the subject of this proxy --> <saml:Subject>...</saml:Subject> ... </saml:AttributeStatement> </saml:Assertion>
$ Principal Self-query: A principal authenticates to a SAML Attribute Authority (AA). The AA responds with a signed assertion containing both an AuthenticationStatement and an AttributeStatement . The assertion contains a SubjectConfirmation/ConfirmationMethod element having value holder-of-key (not shown below). Using the GridShib SAMLAssertionTools, the principal binds the assertion to a proxy certificate and uses this certificate to authenticate to a Grid SP.
<!-- self-query --> <saml:Assertion ...> <saml:Conditions ...>...</saml:Conditions> <saml:AuthenticationStatement ...> <!-- the subject that authenticated to the IdP --> <saml:Subject>...</saml:Subject> ... </saml:AuthenticationStatement> <!-- campus attributes --> <saml:AttributeStatement> <!-- the subject of this proxy --> <saml:Subject>...</saml:Subject> ... </saml:AttributeStatement> <ds:Signature>...</ds:Signature> </saml:Assertion>
$ Shib-enabled GridShib CA: A principal authenticates to the GridShib CA using campus credentials. The CA queries the campus Shibboleth AA for attributes on behalf of the principal. The AA responds with an assertion containing a single AttributeStatement . The CA issues its own attribute assertion containing attributes for which it is authoritative. The CA binds both assertions to a short-lived EEC that is issued directly to the principal.
<!-- shib-enabled gridshib ca --> <saml:Assertion ...> <saml:Conditions ...>...</saml:Conditions> <saml:Advice> <!-- attribute assertion obtained from campus Shib AA --> <saml:Assertion ...>...</saml:Assertion> <!-- authn assertion obtained from campus Shib IdP (if available) --> <saml:Assertion ...>...</saml:Assertion> </saml:Advice> <!-- self-asserted attributes --> <saml:AttributeStatement> <!-- the subject of this EEC --> <saml:Subject>...</saml:Subject> ... </saml:AttributeStatement> </saml:Assertion>
$ MyProxy Online CA: A principal authenticates to the MyProxy Online CA. The CA issues a SAML authentication assertion that describes this act of authentication. The CA binds this assertion to an EEC, which is issued directly to the principal.
<!-- myproxy online ca --> <saml:Assertion ...> <saml:Conditions ...>...</saml:Conditions> <saml:AuthenticationStatement ...> <!-- the subject that authenticated to myproxy --> <saml:Subject>...</saml:Subject> ... </saml:AuthenticationStatement> </saml:Assertion>
$ Community Authorization Service: A principal authenticates to a Community Authorization Service (CAS) server. The CAS server, using its community credential, binds a self-issued authorization decision assertion to a proxy, which is issued directly to the principal.
<!-- CAS --> <saml:Assertion ...> <saml:Conditions ...>...</saml:Conditions> <saml:AuthenticationStatement ...> <!-- the subject that authenticated to the CAS server --> <saml:Subject>...</saml:Subject> ... </saml:AuthenticationStatement> <!-- self-asserted authz decision --> <saml:AuthorizationDecisionStatement ...> <!-- the subject of this proxy --> <saml:Subject>...</saml:Subject> ... </saml:AuthorizationDecisionStatement> </saml:Assertion>
The Presenter is Acting on Behalf of the Subject
$ nanoHUB pull: A community portal authenticates a principal by unspecified means. The portal, using its community credential and the GridShib SAMLAssertionTools, binds a self-issued assertion containing an AuthenticationStatement to a proxy certificate. The portal uses this certificate to request a grid service on behalf of the principal.
<!-- nanoHUB pull --> <saml:Assertion ...> <saml:Conditions ...>...</saml:Conditions> <saml:AuthenticationStatement ...> <!-- the subject that authenticated to the nanoHUB portal --> <saml:Subject>...</saml:Subject> ... </saml:AuthenticationStatement> </saml:Assertion>
$ nanoHUB push: A community portal authenticates a principal by unspecified means. As in the previous use case, the portal first self-issues an assertion containing an AuthenticationStatement . Next the portal queries a local SAML AA for attributes on behalf of the principal. The SAML AA responds with an assertion containing a single AttributeStatement . The portal, using its community credential, binds the two assertions to a proxy, which is used to request a grid service on behalf of the principal.
<!-- nanoHUB push --> <saml:Assertion ...> <saml:Conditions ...>...</saml:Conditions> <saml:AuthenticationStatement ...> <!-- the subject that authenticated to the nanoHUB portal --> <saml:Subject>...</saml:Subject> ... </saml:AuthenticationStatement> </saml:Assertion> <saml:Assertion ...> <saml:Conditions ...>...</saml:Conditions> <!-- nanoHUB community attributes --> <saml:AttributeStatement> <!-- the subject of this proxy --> <saml:Subject>...</saml:Subject> ... </saml:AttributeStatement> </saml:Assertion>
$ NVO push: A community portal authenticates a principal by unspecified means. Using the SAMLAssertionTools, the portal self-issues an assertion containing an AuthenticationStatement and an AttributeStatement . The portal, again using the SAMLAssertionTools, binds the assertion to a proxy certificate, which is used to request a grid service on behalf of the principal.
<!-- NVO push --> <saml:Assertion ...> <saml:Conditions ...>...</saml:Conditions> <saml:AuthenticationStatement ...> <!-- the subject that authenticated to the NVO portal --> <saml:Subject>...</saml:Subject> ... </saml:AuthenticationStatement> <!-- NVO community attributes --> <saml:AttributeStatement> <!-- the subject of this proxy --> <saml:Subject>...</saml:Subject> ... </saml:AttributeStatement> </saml:Assertion>
$ Shib-enabled Science Gateway: An !IdP pushes attributes to a Shib-enabled ScienceGateway on behalf of a principal. The signed response consists of two assertions, one containing an AuthenticationStatement and the other containing an AttributeStatement . In addition, the Gateway queries a local SAML AA for attributes on behalf of the principal. The SAML AA responds with an assertion containing a single AttributeStatement . The Gateway, using its community credential, binds the three assertions to a proxy certificate, which is used to request a grid service on behalf of the principal.
<!-- shib-enabled science gateway --> <saml:Assertion ...> <saml:Conditions ...>...</saml:Conditions> <saml:Advice> <!-- attribute assertion obtained from campus Shib AA --> <saml:Assertion ...>...</saml:Assertion> <!-- authn assertion obtained from campus Shib IdP (if available) --> <saml:Assertion ...>...</saml:Assertion> </saml:Advice> <!-- community attributes --> <saml:AttributeStatement> <!-- the subject of this proxy --> <saml:Subject>...</saml:Subject> ... </saml:AttributeStatement> </saml:Assertion>
Alternatively, the Gateway can leverage a MyProxy Server to issue an EEC in lieu of a proxy certificate. In either case, the bound SAML assertion bundle is the same.