GridShib !IdP-first Browser Profile with Attribute Pull
This browser profile is an extension of the SAML 1.1 Browser/POST profile. Note the close correspondence with the IdP-first Non-Browser Profile with Attribute Pull. Steps 1 and 2 are more-or-less the same in both profiles (except that the authN assertion returned in the browser case is suitably decorated for the purposes of delegation). Steps 3 and 4 in the non-browser case are equivalent to steps 4 and 5 in the browser case. Likewise, steps 5–8 in the non-browser profile are identical to steps 6–9 in the browser profile.
Preconditions
Protocol Flow
IMPORTANT! We present an !IdP-first browser flow for simplicity of presentation only. It is easily extended to an SP-first flow without complications.
Overview
This GridShib profile consists of ten steps:
- Client authenticates to the !IdP
- !IdP returns an authentication assertion
- Client presents authentication assertion to the SP
- SP authenticates to MyProxy
- MyProxy returns X.509 credential to the SP
- SP requests a service at Grid SP
- Grid SP issues attribute query to Attribute Authority
- Attribute Authority returns attribute assertion
- Grid SP returns a response to the SP
- SP proxies the response to the Client
The SP component depicted above is more properly decomposed into an enhanced Shib SP alongside an SP-protected resource (most likely a Java servlet) with grid client functionality.
Features
Issues
- Specify a "suitably decorated" authentication assertion with delegation.
- What are the details of the exchange at steps 4 and 5?