GridShib !IdP-first Browser Profile with Attribute Push
This browser profile is an extension of the SAML 1.1 Browser/Artifact profile. Note the similarities between this profile and the IdP-first Non-Browser Profile with Attribute Push.
Preconditions
Protocol Flow
IMPORTANT! We present an !IdP-first browser flow for simplicity of presentation only. It is easily extended to an SP-first flow without complications.
Overview
This GridShib profile consists of ten steps:
- Client authenticates to the !IdP
- !IdP returns an artifact response
- Client presents artifact to the SP
- SP proxies artifact to MyProxy
- MyProxy resolves artifact
- !IdP returns authentication assertion and attribute assertion to MyProxy
- MyProxy returns X.509 credential (with embedded attribute assertion) to SP
- SP requests a service at Grid SP
- Grid SP returns a response to the SP
- SP proxies response to Client
The SP component depicted above is more properly decomposed into an enhanced Shib SP alongside an SP-protected resource (most likely a Java servlet) with grid client functionality.
Features
Issues
- What are the details of the exchange at steps 4 and 7?
- What are the details of the exchange at steps 5 and 6?