Implementation Plan
Proposed: October 12, 2006
Development
- GridShib for GT
- implement Simple SAML PIP
- extract SAML from the last certificate in the chain (EEC or proxy)
- expect zero or one SAML assertions with 1–2 statements
- assertions are self-issued and unsigned
- assertions do not contain
Conditions
orSubjectConfirmation
elements - assertions do not contain an
Advice
element (i.e., ignore nested assertions) - statements may be
AttributeStatement
orAuthenticationStatement
- log all attributes including XML attributes of
AuthenticationStatement
- (do not query if SAML is pushed)
- leverage Globus SAML library (below) especially
SAMLSubjectAssertion
class
- GridShib for Shib
- [done] rename package edu.internet2.middleware.shibboleth to edu.uiuc.ncsa.middleware.shibboleth
- separate Certificate Registry from main distribution (make it totally optional)
- [in progress] implement SAML Issuer Tool
- GridShib Authentication Assertion Client
- (will be refactored as a result of SAML X.509 Binding Tool)
- conform to SAML V1.1 Subject-based Assertion Profile
- [done] hardwire the assertion issuer (the issuer of the assertion MUST be the subject of the proxy)
- [done] leverage SAML X.509 Binding Tool (below)
- expand command-line options
- SAML Assertion Tools
- https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/SAMLAssertionTools
- [in progress] implement GridShib SAML Issuer Tool
- [in progress] SAML X.509 Binding Tool
- implement X.509 Binding for SAML Assertions
- clone org.globus.wsrf.client.EmbedAssertion
- accept single SAML assertion as input
- (bind !IdP entityID to SIA extension)
- implement GridShib Attribute Query Client
- Globus SAML Library
- [done] augment license headers (if needed)
- [done] rename package org.opensaml.nameid to org.globus.opensaml11.saml.nameid
- [done] implement object equivalence
- [done] enhance
SAMLNameIdentifier
class (and its unit test) - implement
SAMLAssertion.checkConditions
method - [done] implement
SAMLSubjectAssertion
class (and corresponding unit test) - [done] implement
SAMLSubjectAssertion.checkValidity
method - [done] implement "very strongly matches" in
SAMLSubjectAssertion
- [in progress] implement "strongly matches" in
SAMLSubject
- [done] enhance
SAMLSubjectTest
- [done] implement concrete
SAMLSubjectStatement
class - override
SAMLResponse.checkValidity
method - commit package org.globus.opensaml11.saml to CVS
- GridShib CA
- register certificate on the front channel
- bind simple attribute assertion to EEC
- (do not bind SSO assertions)
- bind !IdP entityID to SIA extension
Specifications
- [in progress] Subject-based Assertion Profile for SAML V1.1
- http://dev.globus.org/wiki/SAML_in_X.509_Validation#Subject-based_Assertion_Profile
- specify general requirements for SAML V1.1 assertions to make them equivalent to SAML V2.0 assertions
- define the notion of a set of subject-based assertions
- X.509 Binding for SAML Assertions
Deliverables
- GridShib for GT V0.6
- GridShib for Shib V0.6 (Jan 2007)
- improved packaging and documentation
- Shib SAML Issuer Tool
- GridShib SAML Tools (Jan 2007)
- GridShib SAML Issuer Tool
- SAML X.509 Binding Tool
- GridShib Attribute Query Client
- Globus SAML Library V?
- Subject-based Assertion Profile for SAML V1.1
- X.509 Binding for SAML Assertions