GridShib !IdP-first Browser Profile with Attribute Push

This browser profile is an extension of the SAML 1.1 Browser/Artifact profile. Note the similarities between this profile and the IdP-first Non-Browser Profile with Attribute Push.

Preconditions

Protocol Flow

IMPORTANT! We present an !IdP-first browser flow for simplicity of presentation only. It is easily extended to an SP-first flow without complications.

Overview

This GridShib profile consists of ten steps:

  1. Client authenticates to the !IdP
  2. !IdP returns an artifact response
  3. Client presents artifact to the SP
  4. SP proxies artifact to MyProxy
  5. MyProxy resolves artifact
  6. !IdP returns authentication assertion and attribute assertion to MyProxy
  7. MyProxy returns X.509 credential (with embedded attribute assertion) to SP
  8. SP requests a service at Grid SP
  9. Grid SP returns a response to the SP
  10. SP proxies response to Client

The SP component depicted above is more properly decomposed into an enhanced Shib SP alongside an SP-protected resource (most likely a Java servlet) with grid client functionality.

Features

Issues

  • What are the details of the exchange at steps 4 and 7?
  • What are the details of the exchange at steps 5 and 6?
  • No labels