GridShib Quick Start

GridShib Quick Start
April 30, 2008

This GridShib Quick Start gives detailed instructions for using GridShib for GT v0.6, GridShib SAML Tools v0.3, and GridShib CA v0.5 together on Windows and UNIX systems. The GridShib SAML Tools is a standalone suite of client tools requiring only Java and Ant. GridShib for GT is a plugin for Globus Toolkit (GT). A lightweight alternative to installing the full Globus Toolkit is to install the Java WS Core component of GT and then install GridShib for GT on top of that (see the Getting Started section for details). Finally, we show how to use a public instance of the GridShib CA to bootstrap the X.509 environment on your laptop or desktop.

This Quick Start concentrates on the following deployment scenarios:

• Shib-enabled Science Gateway
• GridShib-enabled Grid Security Infrastructure

In particular, all the examples in the section entitled Configuring GridShib for GT for Attribute Push address the Science Gateway Use Case.

Contents

• Getting Started
• Configuring GridShib for GT for Attribute Push
  • The default configuration
  • Configure attribute acceptance policy
  • Configure a blacklist
  • Configure attribute mapping
  • Configure attribute-based authorization policy
  • Configure a combined interceptor
  • Configure complex authorization policy

Getting Started

This Quick Start requires two logical systems: a client system and a server system. The client system presents an X.509 certificate containing an X.509-bound SAML token to a GridShib-protected service running on the server system. Thus a suitable client system should be able to do the following:

1. Request an end-entity credential from the GridShib CA using a browser
2. Issue a proxy credential using a Java command-line tool provided by the GridShib SAML Tools
3. Request a web service using a Java command-line client included in GridShib for GT

At least one of steps 1 or 2 is required to obtain an X.509 certificate containing an X.509-bound SAML token. Using both the GridShib CA and the GridShib SAML Tools demonstrates that SAML information can come from multiple certificates in the presented certificate chain, so a client system that wields a browser is highly desirable.

The client system requires GridShib SAML Tools and GridShib for GT, while the server system requires GridShib for GT only. Since GridShib for GT strictly requires only Java WS Core (as opposed to the full GT software stack), the basic requirements for running a client and a server are fairly lightweight. We provide the following guides to help you install a minimal software stack suitable for this Quick Start:

• Installing GridShib on Windows
• Installing GridShib on UNIX

Some possible deployment scenarios are outlined below:

• Both the client and the server are deployed on a single physical system.
  • If the physical system is a Windows laptop or desktop, Java WS Core must be installed (since full GT is not supported on Windows).
  • If the physical system is a Mac laptop or desktop, either Java WS Core or full GT may be installed.
  • If the physical system is a Linux or UNIX server, typically full GT is installed but Java WS Core is sufficient. Since the GridShib CA is not (easily) leveraged in this case, this isn't an optimal solution for this Quick Start.
• The client and server systems are deployed on separate systems.
  • If the client system is a laptop or desktop, the GridShib CA can be used.
  • The server system must be running SOAP services in a Globus container on the network.

For the rest of this Quick Start, we assume the client system is a laptop or desktop so that an end-entity credential can be requested from the shib-enabled GridShib CA.

Configuring GridShib for GT for Attribute Push

This section shows how to configure GridShib for GT for attribute push. The requester authenticates to the service by presenting an X.509 certificate chain. One or more certificates in the chain may contain a SAML assertion bound to a non-critical X.509 v3 certificate extension. The security information in the SAML assertion(s) may be used for access control. After the requester is authenticated, the request passes through the authorization chain illustrated below.

As the request passess through the authorization chain, the policy information points (denoted by hexagons in the diagram) populate a security context with the security information gleaned from the SAML assertion(s). If any policy decision point (denoted by diamond shapes above) in the authorization chain returns DENY, processing is short-circuited and the request is denied. On the other hand, if the request passes through the entire authorization chain such that no policy decision point returns DENY, the request is permitted.

In what follows, we assume a client system and a server system have been deployed as outlined in the Getting Started section. For convenience, we also assume that both the client and the server are installed on the same system. If this is not the case, be sure to replace localhost in the commands below with the correct IP address or DNS address of the server system.

This tutorial refers to various configuration files included with GridShib for GT and GridShib SAML Tools:

  UNIX:
  $ export CONFIG_DIR=$GLOBUS_LOCATION/etc/gridshib-gt-echo-0_6_0
  $ ls -l $CONFIG_DIR/echo-service-security-descriptor.xml /
        $CONFIG_DIR/server-config.wsdd /
        $CONFIG_DIR/blacklist_ip_addresses.txt /
        $CONFIG_DIR/blacklist_name_ids.txt /
        $CONFIG_DIR/echo-attr-authz-vo.xml /
        $CONFIG_DIR/echo-attr-authz-vo-roles.xml /
        $CONFIG_DIR/echo-attr-authz-c.xml /
        $CONFIG_DIR/idp-metadata/trusted_authorities_entity_map.txt

  Windows:
  > set CONFIG_DIR=%GLOBUS_LOCATION%/etc/gridshib-gt-echo-0_6_0
  > dir %CONFIG_DIR%/echo-service-security-descriptor.xml
        %CONFIG_DIR%/server-config.wsdd
        %CONFIG_DIR%/blacklist_ip_addresses.txt
        %CONFIG_DIR%/blacklist_name_ids.txt
        %CONFIG_DIR%/echo-attr-authz-vo.xml
        %CONFIG_DIR%/echo-attr-authz-vo-roles.xml
        %CONFIG_DIR%/echo-attr-authz-c.xml
        %CONFIG_DIR%/idp-metadata/trusted_authorities_entity_map.txt

In what follows, we will use short (system independent) filenames when referring to the above configuration files.

Before we get started, create a GridShib SAML Tools configuration properties file:

  UNIX:
  $ su - globus
  $ echo $HOME
  /home/globus
  $ echo /tmp/x509up_u$UID
  /tmp/x509up_u504
  $ cat $GRIDSHIB_HOME/etc/my-saml-issuer.properties
  # BEGIN my-saml-issuer.properties

  # SAML NameIdentifier
  NameID.Format=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  NameID.Format.template=%PRINCIPAL%

  # FriendlyName="isMemberOf"
  Attribute.isMemberOf.Namespace=urn:mace:shibboleth:1.0:attributeNamespace:uri
  Attribute.isMemberOf.Name=urn:oid:1.3.6.1.4.1.5923.1.5.1.1
  Attribute.isMemberOf.Value=group://nanohub.org/nanohub  group://gisolve.org/gisolve

  # FriendlyName="countryName"
  Attribute.countryName.Namespace=urn:mace:shibboleth:1.0:attributeNamespace:uri
  Attribute.countryName.Name=urn:oid:2.5.4.6
  Attribute.countryName.Value=US

  # X.509 Issuing Credential
  certLocation=file:///tmp/x509up_u504
  keyLocation=file:///tmp/x509up_u504

  # END my-saml-issuer.properties

  Windows:
  > echo %USERPROFILE%
  C:/Documents and Settings/globus
  > echo %TEMP%/x509up_u_%USERNAME%
  C:/DOCUME~1/GLOBUS/LOCALS~1/Temp/x509up_u_globus
  > type %GRIDSHIB_HOME%/etc/my-saml-issuer.properties
  # BEGIN my-saml-issuer.properties

  # SAML NameIdentifier
  NameID.Format=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  NameID.Format.template=%PRINCIPAL%

  # FriendlyName="isMemberOf"
  Attribute.isMemberOf.Namespace=urn:mace:shibboleth:1.0:attributeNamespace:uri
  Attribute.isMemberOf.Name=urn:oid:1.3.6.1.4.1.5923.1.5.1.1
  Attribute.isMemberOf.Value=group://nanohub.org/nanohub  group://gisolve.org/gisolve

  # FriendlyName="countryName"
  Attribute.countryName.Namespace=urn:mace:shibboleth:1.0:attributeNamespace:uri
  Attribute.countryName.Name=urn:oid:2.5.4.6
  Attribute.countryName.Value=US

  # X.509 Issuing Credential
  certLocation=file:///C:/Documents%20and%20Settings/globus/Local%20Settings/Temp/x509up_u_globus
  keyLocation=file:///C:/Documents%20and%20Settings/globus/Local%20Settings/Temp/x509up_u_globus

  # END my-saml-issuer.properties

In both cases, note that the isMemberOf attribute is multi-valued and that the two attribute values are separated by a tab character.

The default configuration

Out of the box, the GridShib SecurityContextEchoService on the server system is configured for attribute push. All requests for SecurityContextEchoService are intercepted by the SAMLAssertionPushPIP (PushPIP), which extracts and parses any SAML tokens bound to the presented X.509 certificate chain. The resulting security context is logged but no policy is applied. Indeed, a policy information point (PIP) does not return an access control decision, so the GT 4.0 authorization framework permits access by default.

Issue a level 1 proxy credential on the client system and request the SecurityContextEchoService on the server system:

1. Inspect the configuration of SecurityContextEchoService on the server system.
   By default, the SecurityContextEchoService is configured for attribute push.
   1. In echo-service-security-descriptor.xml, an interceptor called SAMLAssertionPushPIP is configured:

      <authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP"/>

      This interceptor consumes any X.509-bound SAML assertions in the presented certificate chain.
2. Request the SecurityContextEchoService, authenticating with a level 1 proxy credential issued on the client system.
   To demonstrate attribute push, use the GridShib SAML Tools to issue a proxy certificate signed by the GridShib CA-issued end-entity credential on the client system. The resulting certificate chain will contain two SAML assertions, one bound to the end-entity certificate issued by the GridShib CA and another one bound to the proxy certificate issued by the SAML Tools. A request to the SecurityContextEchoService will be intercepted by the SAMLAssertionPushPIP, the assertions will be extracted and parsed, and the results will be echoed back to the requester.
   1. In a shell window on the server system, start a secure container. Note how SAMLAssertionPushPIP initializes in the container logs.
   2. In a shell window on the client system, issue a level 1 proxy, set the proxy path, and request the service:

        UNIX:
        $ $GRIDSHIB_HOME/bin/gridshib-saml-issuer /
            --user trscavo --sender-vouches /
            --config $GRIDSHIB_HOME/etc/my-saml-issuer.properties /
            --authn --x509 --outfile /tmp/testcredential.pem /
            --authnMethod urn:oasis:names:tc:SAML:1.0:am:password /
            --authnInstant 2008-01-24T16:29:18-0600
        $ $GRIDSHIB_HOME/bin/gridshib-saml-info /
            --infile /tmp/testcredential.pem
        $ export X509_USER_PROXY=/tmp/testcredential.pem
        $ $GLOBUS_LOCATION/bin/gridshibecho -d -z none /
            -s https://localhost:8443/wsrf/services/SecurityContextEchoService

        Windows:
        > %GRIDSHIB_HOME%/bin/gridshib-saml-issuer
            --user trscavo --sender-vouches
            --config %GRIDSHIB_HOME%/etc/my-saml-issuer.properties
            --authn --x509 --outfile %TEMP%/testcredential.pem
            --authnMethod urn:oasis:names:tc:SAML:1.0:am:password
            --authnInstant 2008-01-24T16:29:18-0600
        > %GRIDSHIB_HOME%/bin/gridshib-saml-info
            --infile %TEMP%/testcredential.pem
        > set X509_USER_PROXY=%TEMP%/testcredential.pem
        > %GLOBUS_LOCATION%/bin/gridshibecho -d -z none
            -s https://localhost:8443/wsrf/services/SecurityContextEchoService

        ---------
        Response:
        ---------
      
        Principal {
          name='/DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth User
                /OU=https://idp.protectnetwork.org/protectnetwork-idp
                /CN=trscavo@idp.protectnetwork.org'
          type='Globus'
        }
        (untrusted) SAMLIdentity {
          issuer='CN=trscavo@idp.protectnetwork.org,
                  OU=https://idp.protectnetwork.org/protectnetwork-idp,
                  O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu'
          nameID='<NameIdentifier
                    xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
                    Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                    trscavo
                  </NameIdentifier>'
        }
        (untrusted) SAMLIdentity {
          issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
          nameID='<NameIdentifier
                    xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
                    Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
                    CN=trscavo@idp.protectnetwork.org,
                    OU=https://idp.protectnetwork.org/protectnetwork-idp,
                    O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu
                  </NameIdentifier>'
        }
        (untrusted) SAMLAuthnContext {
          issuer='CN=trscavo@idp.protectnetwork.org,
                  OU=https://idp.protectnetwork.org/protectnetwork-idp,
                  O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu'
          authnMethod='urn:oasis:names:tc:SAML:1.0:am:password'
          authnInstant='2008-01-24T22:29:18Z'
          ipAddress='null'
          dnsName='null'
        }
        (untrusted) BasicAttribute {
          issuer='CN=trscavo@idp.protectnetwork.org,
                  OU=https://idp.protectnetwork.org/protectnetwork-idp,
                  O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu'
          name='urn:oid:2.5.4.6'
          nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
          value #1='US'
        }
        (untrusted) BasicAttribute {
          issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
          name='http://gridshib.globus.org/testAttribute'
          nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
          value #1='testValueTwo'
          value #2='testValue'
        }
        (untrusted) BasicAttribute {
          issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
          name='http://gridshib.globus.org/testAttributeTwo'
          nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
          value #1='testValue'
        }
        (untrusted) BasicAttribute {
          issuer='CN=trscavo@idp.protectnetwork.org,
                  OU=https://idp.protectnetwork.org/protectnetwork-idp,
                  O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu'
          name='urn:oid:1.3.6.1.4.1.5923.1.5.1.1'
          nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
          value #1='group://gisolve.org/gisolve'
          value #2='group://nanohub.org/nanohub'
        }

      You should receive a total of eight (8) items in the response: one (1) Principal item (representing the authenticated user), two (2) SAMLIdentity items (one of which is from the GridShib CA-issued EEC), one (1) SAMLAuthnContext item, and four (4) BasicAttribute items. Note carefully the issuer of each item. Also note that each item is labeled (untrusted) since none of the security information has been subjected to policy.
   3. In a shell window on the server system, stop the container.

Configure attribute acceptance policy

The SAMLAssertionPushPIP logs the security information in the pushed X.509-bound SAML tokens, but since no policy is applied, we say the information is untrusted. Without rendering an access control decision, the AttributeAcceptancePIP (AAPIP) applies attribute acceptance policy to the security information in the security context. As a result, the untrusted information is filtered from the security context.

Reconfigure both systems, issue a level 1 proxy credential on the client system, and request the SecurityContextEchoService on the server system:

1. Reconfigure the SecurityContextEchoService on the server system.
   By default, the SecurityContextEchoService is configured to accept all attributes (i.e., no policy is applied). We now expand the authorization chain to include attribute acceptance policy. This policy check is enabled by adding another PIP to the authorization chain.
   1. In echo-service-security-descriptor.xml, comment out this line

      <authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP"/>

      and uncomment this line

      <authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP
                    secctxecho:org.globus.gridshib.AttributeAcceptancePIP"/>

      This enables AttributeAcceptancePIP in the authorization chain.
2. Request the SecurityContextEchoService, authenticating with a level 1 proxy credential issued on the client system.
   The AttributeAcceptancePIP introduced in the previous step determines which of the "untrusted" items are in fact trusted (by consulting a list of trusted SAML authorities). Any "untrusted" items remaining are removed from the security context.
   1. In a shell window on the server system, start a secure container. Note how AttributeAcceptancePIP initializes in the container logs.
   2. In a shell window on the client system, issue a level 1 proxy, set the proxy path, and request the service:

        UNIX:
        $ $GRIDSHIB_HOME/bin/gridshib-saml-issuer /
            --user trscavo --sender-vouches /
            --config $GRIDSHIB_HOME/etc/my-saml-issuer.properties /
            --authn --x509 --outfile /tmp/testcredential.pem /
            --authnMethod urn:oasis:names:tc:SAML:1.0:am:password /
            --authnInstant 2008-01-24T16:29:18-0600
        $ $GRIDSHIB_HOME/bin/gridshib-saml-info /
            --infile /tmp/testcredential.pem
        $ echo $X509_USER_PROXY
        $ $GLOBUS_LOCATION/bin/gridshibecho -d -z none /
            -s https://localhost:8443/wsrf/services/SecurityContextEchoService

        Windows:
        > %GRIDSHIB_HOME%/bin/gridshib-saml-issuer
            --user trscavo --sender-vouches
            --config %GRIDSHIB_HOME%/etc/my-saml-issuer.properties
            --authn --x509 --outfile %TEMP%/testcredential.pem
            --authnMethod urn:oasis:names:tc:SAML:1.0:am:password
            --authnInstant 2008-01-24T16:29:18-0600
        > %GRIDSHIB_HOME%/bin/gridshib-saml-info
            --infile %TEMP%/testcredential.pem
        > echo %X509_USER_PROXY%
        > %GLOBUS_LOCATION%/bin/gridshibecho -d -z none
            -s https://localhost:8443/wsrf/services/SecurityContextEchoService

        ---------
        Response:
        ---------
      
        Principal {
          name='/DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth User
                /OU=https://idp.protectnetwork.org/protectnetwork-idp
                /CN=trscavo@idp.protectnetwork.org'
          type='Globus'
        }
        SAMLIdentity {
          issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
          nameID='<NameIdentifier
                    xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
                    Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
                    CN=trscavo@idp.protectnetwork.org,
                    OU=https://idp.protectnetwork.org/protectnetwork-idp,
                    O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu
                  </NameIdentifier>'
        }
        Principal {
          name='CN=trscavo@idp.protectnetwork.org,
                OU=https://idp.protectnetwork.org/protectnetwork-idp,
                O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu'
          type='SAML'
        }
        BasicAttribute {
          issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
          name='http://gridshib.globus.org/testAttribute'
          nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
          value #1='testValueTwo'
          value #2='testValue'
        }
        BasicAttribute {
          issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
          name='http://gridshib.globus.org/testAttributeTwo'
          nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
          value #1='testValue'
        }

      This time, since the GridShib CA is the only trusted SAML authority on the list (by default), only five (5) items appear in the response: two (2) Principal items, one (1) SAMLIdentity item, and two (2) BasicAttribute items. Note that one Principal item represents the authenticated user (as mentioned in the previous section) while the other four items are a result of the trusted GridShib CA-issued EEC. The remaining items were removed from the security context by the AttributeAcceptancePIP since they are untrusted.
3. Reconfigure the GridShib SAML Tools on the client system.
   Every SAML assertion has an issuer, and the assertion embedded in the proxy certificate by the SAML Tools is no exception. By default, the tool sets the SAML Issuer to the X.509 Issuer, that is, the Subject DN of the issuing credential. We now reconfigure the GridShib SAML Tools so that the SAML Issuer is a fixed URI. This URI is called the entityID of the SAML issuer.
   1. Add the following lines to my-saml-issuer.properties:

      # Identity Provider entityID
      IdP.entityID=https://gridshib.example.org/idp

      The URI on the righthand side is the entityID of the SAML issuer.
   2. Obtain the Subject DN of your GridShib CA-issued EEC on the client system:

        UNIX:
        $ $GLOBUS_LOCATION/bin/rfc2253dn

        Windows:
        > %GLOBUS_LOCATION%/bin/rfc2253dn

        X.509 Subject DN (Globus):
      
        /DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth User
        /OU=https://idp.protectnetwork.org/protectnetwork-idp
        /CN=trscavo@idp.protectnetwork.org
      
        X.509 Subject DN (RFC 2253):
      
        CN=trscavo@idp.protectnetwork.org,
        OU=https://idp.protectnetwork.org/protectnetwork-idp,
        O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu
      
        X.509 Subject DN (Canonical RFC 2253):
      
        cn=#141e7472736361766f406964702e70726f746563746e6574776f726b2e6f7267,
        ou=https://idp.protectnetwork.org/protectnetwork-idp,
        o=shibboleth user,dc=#1608636f6d7075746572,dc=#16046e637361,
        dc=#160475697563,dc=#1603656475

      The RFC 2253 form of the Subject DN is required in the following step.
4. Configure the AttributeAcceptancePIP on the server system.
   In the current version of GridShib for GT, attribute acceptance policy boils down to a list of trusted SAML authorities. Actually, the PIP consults a file-based mapping of SAML authorities into X.509 authorities. Attributes are accepted from a particular SAML issuer if and only if the issuer's entityID maps to an X.509 Issuer DN. By default, the GridShib CA is a trusted SAML authority. We now add the proxy issuer to the list of trusted SAML authorities.
   1. Add the following line to the trusted SAML authorities file trusted_authorities_entity_map.txt:

      https://gridshib.example.org/idp "Subject DN of your EEC"

      Be sure to use the RFC 2253 form of your Subject DN from the previous step.
5. Request the SecurityContextEchoService again.
   By virtue of the mapping added to trusted_authorities_entity_map.txt at the previous step, the service now trusts all the security information in the proxy certificate.
   1. In a shell window on the client system, issue a level 1 proxy exactly as before:

        UNIX:
        $ $GRIDSHIB_HOME/bin/gridshib-saml-issuer /
            --user trscavo --sender-vouches /
            --config $GRIDSHIB_HOME/etc/my-saml-issuer.properties /
            --authn --x509 --outfile /tmp/testcredential.pem /
            --authnMethod urn:oasis:names:tc:SAML:1.0:am:password /
            --authnInstant 2008-01-24T16:29:18-0600
        $ $GRIDSHIB_HOME/bin/gridshib-saml-info /
            --infile /tmp/testcredential.pem
        $ $GLOBUS_LOCATION/bin/gridshibecho -d -z none /
            -s https://localhost:8443/wsrf/services/SecurityContextEchoService

        Windows:
        > %GRIDSHIB_HOME%/bin/gridshib-saml-issuer
            --user trscavo --sender-vouches
            --config %GRIDSHIB_HOME%/etc/my-saml-issuer.properties
            --authn --x509 --outfile %TEMP%/testcredential.pem
            --authnMethod urn:oasis:names:tc:SAML:1.0:am:password
            --authnInstant 2008-01-24T16:29:18-0600
        > %GRIDSHIB_HOME%/bin/gridshib-saml-info
            --infile %TEMP%/testcredential.pem
        > %GLOBUS_LOCATION%/bin/gridshibecho -d -z none
            -s https://localhost:8443/wsrf/services/SecurityContextEchoService

      You should receive a total of ten (10) items in the response. Eight (8) of these items are exactly the same as before. Two (2) new Principal items have appeared, corresponding to the trusted SAMLIdentity items. Note that none of the security items are labeled (untrusted) since, by virtue of the AttributeAcceptancePIP, all security items have been associated with a trusted SAML issuer.
   2. In a shell window on the server system, stop the container.

Configure a blacklist

We now introduce our first policy decision point (PDP). The SAMLBlacklistPDP returns false (DENY) if (and only if) any of the security information in the security context is on one or more blacklists. GridShib for GT supports two kinds of blacklists: a blacklist of IP addresses and a blacklist of principal name identifiers. If the client IP address of the authenticated user is on the blacklist of IP addresses, the request is denied. Similarly, if the name identifier associated with the authenticated user is on the blacklist of principal name identifiers, the request is denied.

Reconfigure the server system, issue a level 1 proxy credential containing an IP address on the client system, and request the SecurityContextEchoService on the server system:

1. Reconfigure the SecurityContextEchoService on the server system.
   Specific IP addresses and/or principal name identifiers may be blacklisted. Add a blacklist PDP to the authorization chain.
   1. In echo-service-security-descriptor.xml, comment out this line

      <authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP
                    secctxecho:org.globus.gridshib.AttributeAcceptancePIP"/>

      and uncomment this line

      <authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP
                    secctxecho:org.globus.gridshib.AttributeAcceptancePIP
                    secctxecho:org.globus.gridshib.SAMLBlacklistPDP"/>

      This enables SAMLBlacklistPDP in the authorization chain.
   2. In server-config.wsdd, observe the following configuration parameter:

      <parameter name="secctxecho-blacklistIPAddressesFile"
                 value="GLOBUS_LOCATION/etc/gridshib-gt-echo-0_6_0/blacklist_ip_addresses.txt"/>

      This enables IP address blacklisting in the SecurityContextEchoService.
2. Request the SecurityContextEchoService, authenticating with a level 1 proxy credential issued on the client system.
   The IP address of the requester is checked against the blacklist and the request is denied if the IP address is on the list. Since IP address 111.111.111.111 is on the blacklist ( blacklist_ip_addresses.txt), the request is denied.
   1. In a shell window on the server system, start a secure container. Note how SAMLBlacklistPDP initializes in the container logs.
   2. In a shell window on the client system, issue a level 1 proxy and request the service:

        UNIX:
        $ $GRIDSHIB_HOME/bin/gridshib-saml-issuer /
            --user trscavo --sender-vouches /
            --config $GRIDSHIB_HOME/etc/my-saml-issuer.properties /
            --authn --x509 --outfile /tmp/testcredential.pem /
            --authnMethod urn:oasis:names:tc:SAML:1.0:am:password /
            --authnInstant 2008-01-24T16:29:18-0600 /
            --address 111.111.111.111
        $ $GRIDSHIB_HOME/bin/gridshib-saml-info /
            --infile /tmp/testcredential.pem
        $ echo $X509_USER_PROXY
        $ $GLOBUS_LOCATION/bin/gridshibecho -d -z none /
            -s https://localhost:8443/wsrf/services/SecurityContextEchoService

        Windows:
        > %GRIDSHIB_HOME%/bin/gridshib-saml-issuer
            --user trscavo --sender-vouches
            --config %GRIDSHIB_HOME%/etc/my-saml-issuer.properties
            --authn --x509 --outfile %TEMP%/testcredential.pem
            --authnMethod urn:oasis:names:tc:SAML:1.0:am:password
            --authnInstant 2008-01-24T16:29:18-0600
            --address 111.111.111.111
        > %GRIDSHIB_HOME%/bin/gridshib-saml-info
            --infile %TEMP%/testcredential.pem
        > echo %X509_USER_PROXY%
        > %GLOBUS_LOCATION%/bin/gridshibecho -d -z none
            -s https://localhost:8443/wsrf/services/SecurityContextEchoService

        Error: org.globus.wsrf.impl.security.authorization.exceptions.AuthorizationException:
        "/DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth User/OU=entityID/CN=ePPN"
        is not authorized to use operation:
        {http://wsrf.globus.org/2005/04/secctxecho}echo on this service

      Since the IP address is on the blacklist, the request is denied.
3. Request the SecurityContextEchoService again.
   In this case, IP address 255.255.255.255 is not on the blacklist, so the request is permitted.
   1. In a shell window on the client system, issue a different level 1 proxy and request the service:

        UNIX:
        $ $GRIDSHIB_HOME/bin/gridshib-saml-issuer /
            --user trscavo --sender-vouches /
            --config $GRIDSHIB_HOME/etc/my-saml-issuer.properties /
            --authn --x509 --outfile /tmp/testcredential.pem /
            --authnMethod urn:oasis:names:tc:SAML:1.0:am:password /
            --authnInstant 2008-01-24T16:29:18-0600 /
            --address 255.255.255.255
        $ $GRIDSHIB_HOME/bin/gridshib-saml-info /
            --infile /tmp/testcredential.pem
        $ echo $X509_USER_PROXY
        $ $GLOBUS_LOCATION/bin/gridshibecho -d -z none /
            -s https://localhost:8443/wsrf/services/SecurityContextEchoService

        Windows:
        > %GRIDSHIB_HOME%/bin/gridshib-saml-issuer
            --user trscavo --sender-vouches
            --config %GRIDSHIB_HOME%/etc/my-saml-issuer.properties
            --authn --x509 --outfile %TEMP%/testcredential.pem
            --authnMethod urn:oasis:names:tc:SAML:1.0:am:password
            --authnInstant 2008-01-24T16:29:18-0600
            --address 255.255.255.255
        > %GRIDSHIB_HOME%/bin/gridshib-saml-info
            --infile %TEMP%/testcredential.pem
        > echo %X509_USER_PROXY%
        > %GLOBUS_LOCATION%/bin/gridshibecho -d -z none
            -s https://localhost:8443/wsrf/services/SecurityContextEchoService

      As before, you should receive a total of ten (10) items in the response: two (2) SAMLIdentity items, one (1) SAMLAuthnContext item, four (4) BasicAttribute items, and three (3) Principal items. Note that the SAMLAuthnContext item contains the IP address 255.255.255.255 previously embedded in the proxy.
4. Request the SecurityContextEchoService again.
   This time we will deny access based on the name identifier in a bound SAML assertion.
   1. In server-config.wsdd, observe the following configuration parameter:

      <parameter name="secctxecho-blacklistNameIdentifiersFile"
                 value="GLOBUS_LOCATION/etc/gridshib-gt-echo-0_6_0/blacklist_name_ids.txt"/>

      This enables name identifier blacklisting in the SecurityContextEchoService.
   2. In file blacklist_name_ids.txt, uncomment the following name identifier:

      trscavo

      This name identifier is in fact one of two name identifiers asserted in the two X.509-bound SAML assertions in the certificate chain.
   3. Repeat the request from the previous step:

        UNIX:
        $ echo $X509_USER_PROXY
        $ $GLOBUS_LOCATION/bin/gridshibecho -d -z none /
            -s https://localhost:8443/wsrf/services/SecurityContextEchoService

        Windows:
        > echo %X509_USER_PROXY%
        > %GLOBUS_LOCATION%/bin/gridshibecho -d -z none
            -s https://localhost:8443/wsrf/services/SecurityContextEchoService

        Error: org.globus.wsrf.impl.security.authorization.exceptions.AuthorizationException:
        "/DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth User/OU=entityID/CN=ePPN"
        is not authorized to use operation:
        {http://wsrf.globus.org/2005/04/secctxecho}echo on this service

      Since the name identifier is on the blacklist, the request is denied.
5. Request the SecurityContextEchoService again.
   The blacklisted name identifier at the previous step is not globally unique, and therefore may not be appropriate in all deployment scenarios. A DN, on the other hand, is globally unique and is therefore a good candidate for blacklisting.
   1. In file blacklist_name_ids.txt, comment out this line

      #trscavo

      and uncomment this line

      CN=ePPN,OU=entityID,O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu

      where ePPN and entityID are particular identifiers associated with the user and the identity provider, respectively. In my case, ePPN is trscavo@idp.protectnetwork.org and entityID is https://idp.protectnetwork.org/protectnetwork-idp. Your mileage may vary of course.
   2. Repeat the request from the previous step. The request should fail as before (but for a different reason).
   3. Comment out all the lines in the blacklist file and issue the request again. This time the request should not fail.
   4. In a shell window on the server system, stop the container.

Configure attribute mapping

Some grid resources (e.g., GRAM) require a local username. Given a username, the job executes in the environment of the corresponding user on the server system. Traditionally, the local username is obtained from the gridmap file, a mapping from X.509 Subject DNs to local usernames.

GridShib augments (or even replaces) the gridmap file. Instead of mapping DNs to usernames, GridShib maps user attributes to usernames. The mapping is contained in an attributed-based username mapping policy file (attributeMappingPolicyFile). The SAMLMapPIP combines the attributes in the security context with the mapping policy in the file and adds the resulting usernames to the security context.

Reconfigure the server system, issue a level 1 proxy credential on the client system, and request the SecurityContextEchoService on the server system:

1. Reconfigure the SecurityContextEchoService on the server system.
   SAML attributes may be mapped to local usernames (much like DNs are mapped to usernames in the grid-mapfile). The mappings are defined in policy files configured in the service descriptor ( server-config.wsdd) on the server system.
   1. In echo-service-security-descriptor.xml, comment out this line

      <authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP
                    secctxecho:org.globus.gridshib.AttributeAcceptancePIP
                    secctxecho:org.globus.gridshib.SAMLBlacklistPDP"/>

      and uncomment this line

      <authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP
                    secctxecho:org.globus.gridshib.AttributeAcceptancePIP
                    secctxecho:org.globus.gridshib.SAMLBlacklistPDP
                    secctxecho:org.globus.gridshib.SAMLMapPIP"/>

      This enables SAMLMapPIP in the authorization chain.
   2. In server-config.wsdd, observe the following configuration parameter:

      <parameter name="secctxecho-attributeMappingPolicyFile"
                 value="GLOBUS_LOCATION/etc/gridshib-gt-echo-0_6_0/echo-attr-authz-vo.xml"/>

      This associates a policy file for attribute-based mapping in the SecurityContextEchoService.
2. Request the SecurityContextEchoService again.
   If the particular attribute that authorizes access has one or more usernames associated with it, those usernames are added to the security context. (The policy file echo-attr-authz-vo.xml on the server system contains the relevant mappings.)
   1. In a shell window on the server system, start a secure container. Note how SAMLMapPIP initializes in the container logs.
   2. In a shell window on the client system, use the level 1 proxy from the previous exercise (assuming it's still valid) to request the service:

        UNIX:
        $ echo $X509_USER_PROXY
        $ $GLOBUS_LOCATION/bin/gridshibecho -d -z none /
            -s https://localhost:8443/wsrf/services/SecurityContextEchoService

        Windows:
        > echo %X509_USER_PROXY%
        > %GLOBUS_LOCATION%/bin/gridshibecho -d -z none
            -s https://localhost:8443/wsrf/services/SecurityContextEchoService

        ---------
        Response:
        ---------
      
        Principal {
          name='/DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth User
                /OU=https://idp.protectnetwork.org/protectnetwork-idp
                /CN=trscavo@idp.protectnetwork.org'
          type='Globus'
        }
        Principal {
          name='trscavo'
          type='SAML'
        }
        Principal {
          name='CN=trscavo@idp.protectnetwork.org,
                OU=https://idp.protectnetwork.org/protectnetwork-idp,
                O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu'
          type='SAML'
        }
        SAMLIdentity {
          issuer='CN=trscavo@idp.protectnetwork.org,
                  OU=https://idp.protectnetwork.org/protectnetwork-idp,
                  O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu'
          nameID='<NameIdentifier
                    xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
                    Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                    trscavo
                  </NameIdentifier>'
        }
        SAMLIdentity {
          issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
          nameID='<NameIdentifier
                    xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
                    Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
                    CN=trscavo@idp.protectnetwork.org,
                    OU=https://idp.protectnetwork.org/protectnetwork-idp,
                    O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu
                  </NameIdentifier>'
        }
        SAMLAuthnContext {
          issuer='CN=trscavo@idp.protectnetwork.org,
                  OU=https://idp.protectnetwork.org/protectnetwork-idp,
                  O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu'
          authnMethod='urn:oasis:names:tc:SAML:1.0:am:password'
          authnInstant='2008-01-24T22:29:18Z'
          ipAddress='255.255.255.255'
          dnsName='null'
        }
        BasicAttribute {
          issuer='CN=trscavo@idp.protectnetwork.org,
                  OU=https://idp.protectnetwork.org/protectnetwork-idp,
                  O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu'
          name='urn:oid:2.5.4.6'
          nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
          value #1='US'
        }
        BasicAttribute {
          issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
          name='http://gridshib.globus.org/testAttribute'
          nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
          value #1='testValueTwo'
          value #2='testValue'
        }
        BasicAttribute {
          issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
          name='http://gridshib.globus.org/testAttributeTwo'
          nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
          value #1='testValue'
        }
        BasicAttribute {
          issuer='CN=trscavo@idp.protectnetwork.org,
                  OU=https://idp.protectnetwork.org/protectnetwork-idp,
                  O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu'
          name='urn:oid:1.3.6.1.4.1.5923.1.5.1.1'
          nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
          value #1='group://gisolve.org/gisolve'
          value #2='group://nanohub.org/nanohub'
        }
        Principal {
          name='nanohub'
          type='UserName'
        }
        Principal {
          name='gisolve'
          type='UserName'
        }

      You should receive a total of twelve (12) items in the response: two (2) SAMLIdentity items, one (1) SAMLAuthnContext item, four (4) BasicAttribute items, and five () Principal items. The two new Principal items are usernames mapped to attributes in the policy file (echo-attr-authz-vo.xml).
   3. In a shell window on the server system, stop the container.

Configure attribute-based authorization policy

We add a second PDP to the authorization chain, which completes the configuration of attribute-based authorization based on attribute push. The SAMLAttributePDP returns true (PERMIT) if (and only if) attribute-based authorization policy (in parameter attributeAuthzPolicyFile) is satisfied.

Reconfigure both systems, issue a level 1 proxy credential on the client system, and request the SecurityContextEchoService on the server system:

1. Reconfigure the SecurityContextEchoService on the server system.
   We now configure attribute-based authorization policy, the most important policy check of all.
   1. In echo-service-security-descriptor.xml, comment out this line

      <authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP
                    secctxecho:org.globus.gridshib.AttributeAcceptancePIP
                    secctxecho:org.globus.gridshib.SAMLBlacklistPDP
                    secctxecho:org.globus.gridshib.SAMLMapPIP"/>

      and uncomment this line

      <authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP
                    secctxecho:org.globus.gridshib.AttributeAcceptancePIP
                    secctxecho:org.globus.gridshib.SAMLBlacklistPDP
                    secctxecho:org.globus.gridshib.SAMLMapPIP
                    secctxecho:org.globus.gridshib.SAMLAttributePDP"/>

      This enables SAMLAttributePDP in the authorization chain.
   2. In server-config.wsdd, comment out the following configuration parameter

      <!--<parameter name="secctxecho-attributeMappingPolicyFile"
                 value="GLOBUS_LOCATION/etc/gridshib-gt-echo-0_6_0/echo-attr-authz-vo.xml"/>-->

      and observe the following (related) configuration parameter:

      <parameter name="secctxecho-attributeAuthzPolicyFile"
                 value="GLOBUS_LOCATION/etc/gridshib-gt-echo-0_6_0/echo-attr-authz-vo.xml"/>

      Commenting out the attributeMappingPolicyFile parameter causes the SAMLMapPIP to fall back on the attributeAuthzPolicyFile parameter. This associates a single policy file with both attribute-based mapping (SAMLMapPIP) and attribute-based authorization (SAMLAttributePDP) in the SecurityContextEchoService.
2. Reconfigure the GridShib SAML Tools on the client system.
   1. Create a custom configuration file (my-other-saml-issuer.properties) in directory $GRIDSHIB_HOME/etc (or %GRIDSHIB_HOME%/etc on Windows):

      # BEGIN my-other-saml-issuer.properties
      
      # Identity Provider entityID
      IdP.entityID=https://gridshib.example.org/idp
      
      # SAML NameIdentifier (formatted as eduPersonPrincipalName)
      NameID.Format=urn:oid:1.3.6.1.4.1.5923.1.1.1.6
      NameID.Format.template=%PRINCIPAL%@example.org
      
      # FriendlyName="eduPersonEntitlement"
      Attribute.ROLE.Namespace=urn:mace:shibboleth:1.0:attributeNamespace:uri
      Attribute.ROLE.Name=urn:oid:1.3.6.1.4.1.5923.1.1.1.7
      Attribute.ROLE.Value=http://www.teragrid.org/names/roles/admin
      
      # END my-other-saml-issuer.properties

3. Request the SecurityContextEchoService, authenticating with a level 1 proxy credential issued on the client system.
   Using the above configuration file, we will issue a level 1 proxy certificate that does not contain one of the required attributes as specified by policy file echo-attr-authz-vo.xml on the server system. As a result, the request will fail.
   1. In a shell window on the server system, start a secure container. Note how SAMLAttributePDP initializes in the container logs.
   2. In a shell window on the client system, issue a level 1 proxy and request the service:

        UNIX:
        $ cp /tmp/x509up_u$UID /tmp/mycredential.pem
        $ $GRIDSHIB_HOME/bin/gridshib-saml-issuer /
            --user trscavo --sender-vouches /
            --config $GRIDSHIB_HOME/etc/my-other-saml-issuer.properties /
            --authn --x509 --outfile /tmp/testcredential.pem /
            --authnMethod urn:oasis:names:tc:SAML:1.0:am:password /
            --authnInstant 2008-01-24T16:29:18-0600 /
            --properties /
                certLocation=file:///tmp/mycredential.pem /
                keyLocation=file:///tmp/mycredential.pem
        $ $GRIDSHIB_HOME/bin/gridshib-saml-info /
            --infile /tmp/testcredential.pem
        $ echo $X509_USER_PROXY
        $ $GLOBUS_LOCATION/bin/gridshibecho -d -z none /
            -s https://localhost:8443/wsrf/services/SecurityContextEchoService

        Windows:
        > copy "%TEMP%/x509up_u_%USERNAME%" C:/Temp/mycredential.pem
        > %GRIDSHIB_HOME%/bin/gridshib-saml-issuer
            --user trscavo --sender-vouches
            --config %GRIDSHIB_HOME%/etc/my-other-saml-issuer.properties
            --authn --x509 --outfile %TEMP%/testcredential.pem
            --authnMethod urn:oasis:names:tc:SAML:1.0:am:password
            --authnInstant 2008-01-24T16:29:18-0600
            --properties
                certLocation=file:///C:/Temp/mycredential.pem
                keyLocation=file:///C:/Temp/mycredential.pem
        > %GRIDSHIB_HOME%/bin/gridshib-saml-info
            --infile %TEMP%/testcredential.pem
        > echo %X509_USER_PROXY%
        > %GLOBUS_LOCATION%/bin/gridshibecho -d -z none
            -s https://localhost:8443/wsrf/services/SecurityContextEchoService

        Error: org.globus.wsrf.impl.security.authorization.exceptions.AuthorizationException:
        "/DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth User/OU=entityID/CN=ePPN"
        is not authorized to use operation:
        {http://wsrf.globus.org/2005/04/secctxecho}echo on this service

      Since the supplied attribute does not satisfy policy (echo-attr-authz-vo.xml), the request is denied.
   3. In a shell window on the server system, stop the container.
4. Request the SecurityContextEchoService again.
   This time we will present a proxy certificate with at least one attribute that satisfies policy.
   1. In echo-service-security-descriptor.xml, modify the authorization chain slightly as follows:

      <authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP
                    secctxecho:org.globus.gridshib.AttributeAcceptancePIP
                    secctxecho:org.globus.gridshib.SAMLBlacklistPDP
                    secctxecho2:org.globus.gridshib.SAMLMapPIP
                    secctxecho2:org.globus.gridshib.SAMLAttributePDP"/>

      This reconfigures SAMLAttributePDP to depend on a different policy file:

      <parameter name="secctxecho2-attributeAuthzPolicyFile"
                 value="GLOBUS_LOCATION/etc/gridshib-gt-echo-0_6_0/echo-attr-authz-vo-roles.xml"/>

      If you inspect the above policy file (echo-attr-authz-vo-roles.xml), you'll see that the attribute previously bound to the proxy certificate does in fact satisfy policy.
   2. In a shell window on the server system, start a secure container.
   3. In a shell window on the client system, request the service as before:

        UNIX:
        $ echo $X509_USER_PROXY
        $ $GLOBUS_LOCATION/bin/gridshibecho -d -z none /
            -s https://localhost:8443/wsrf/services/SecurityContextEchoService

        Windows:
        > echo %X509_USER_PROXY%
        > %GLOBUS_LOCATION%/bin/gridshibecho -d -z none
            -s https://localhost:8443/wsrf/services/SecurityContextEchoService

        ---------
        Response:
        ---------
      
        Principal {
          name='/DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth User/
                OU=https://idp.protectnetwork.org/protectnetwork-idp/
                CN=trscavo@idp.protectnetwork.org'
          type='Globus'
        }
        SAMLIdentity {
          issuer='https://gridshib.example.org/idp'
          nameID='<NameIdentifier
                    xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
                    Format="urn:oid:1.3.6.1.4.1.5923.1.1.1.6">
                    trscavo@example.org
                  </NameIdentifier>'
        }
        SAMLIdentity {
          issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
          nameID='<NameIdentifier
                    xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
                    Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
                    CN=trscavo@idp.protectnetwork.org,
                    OU=https://idp.protectnetwork.org/protectnetwork-idp,
                    O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu
                  </NameIdentifier>'
        }
        Principal {
          name='trscavo@example.org'
          type='SAML'
        }
        Principal {
          name='CN=trscavo@idp.protectnetwork.org,
                OU=https://idp.protectnetwork.org/protectnetwork-idp,
                O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu'
          type='SAML'
        }
        SAMLAuthnContext {
          issuer='https://gridshib.example.org/idp'
          authnMethod='urn:oasis:names:tc:SAML:1.0:am:password'
          authnInstant='2008-01-24T22:29:18Z'
          ipAddress='null'
          dnsName='null'
        }
        BasicAttribute {
          issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
          name='http://gridshib.globus.org/testAttribute'
          nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
          value #1='testValueTwo'
          value #2='testValue'
        }
        BasicAttribute {
          issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
          name='http://gridshib.globus.org/testAttributeTwo'
          nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
          value #1='testValue'
        }
        BasicAttribute {
          issuer='https://gridshib.example.org/idp'
          name='urn:oid:1.3.6.1.4.1.5923.1.1.1.7'
          nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
          value #1='http://www.teragrid.org/names/roles/admin'
        }
        Principal {
          name='tg-admin'
          type='UserName'
        }

      This time policy is satisfied (echo-attr-authz-vo-roles.xml).
5. In a shell window on the server system, stop the container.

Configure a combined interceptor

To provide a more elegant and flexible configuration, GridShib for GT exposes a combined interceptor called GridShibPDP that includes all the functionality discussed thus far (and more).

Reconfigure the server system, issue a level 1 proxy credential on the client system, and request the SecurityContextEchoService on the server system:

1. Reconfigure the SecurityContextEchoService on the server system.
   A combined interceptor (sometimes called a master PDP) controls other PIPs and PDPs. For example, a PDP called GridShibPDP is functionally equivalent to the authorization chain configured in the previous section. (Actually, GridShibPDP does much, much more.)
   1. In echo-service-security-descriptor.xml, comment out this line

      <authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP
                    secctxecho:org.globus.gridshib.AttributeAcceptancePIP
                    secctxecho:org.globus.gridshib.SAMLBlacklistPDP
                    secctxecho:org.globus.gridshib.SAMLMapPIP
                    secctxecho:org.globus.gridshib.SAMLAttributePDP"/>

      and uncomment this line

      <authz value="secctxecho:org.globus.gridshib.GridShibPDP"/>

      This enables the combined interceptor GridShibPDP.
2. Request the SecurityContextEchoService, authenticating with a level 1 proxy credential via Secure Message.
   Since the end result of the combined interceptor is the same, this is a good time to introduce a new topic: message-level security. All of the previous requests defaulted to transport-level security, that is, the certificate chain containing the SAML assertions is passed via an ordinary TLS handshake. To pass the SAML assertions at the message level (i.e., in the header of the SOAP message), all that's needed is a simple command-line switch that causes the client to use WS-Security X.509 Certificate Token Profile to transmit the certificate chain along with the bound SAML assertions to the container.
   1. In a shell window on the server system, start an insecure container:

        UNIX:
        $ $GLOBUS_LOCATION/bin/globus-start-container -nosec

        Windows:
        > %GLOBUS_LOCATION%/bin/globus-start-container -nosec

      This disables transport-level security in the container.
   2. In a shell window on the client system, request the service in two different ways:

        UNIX:
        $ $GRIDSHIB_HOME/bin/gridshib-saml-issuer /
            --user trscavo --sender-vouches /
            --config $GRIDSHIB_HOME/etc/my-saml-issuer.properties /
            --authn --x509 --outfile /tmp/testcredential.pem /
            --authnMethod urn:oasis:names:tc:SAML:1.0:am:password /
            --authnInstant 2008-01-24T16:29:18-0600 /
            --address 255.255.255.255
        $ $GRIDSHIB_HOME/bin/gridshib-saml-info /
            --infile /tmp/testcredential.pem
        $ echo $X509_USER_PROXY
        $ $GLOBUS_LOCATION/bin/gridshibecho -d -z none /
            -s http://localhost:8080/wsrf/services/SecurityContextEchoService
        $ $GLOBUS_LOCATION/bin/gridshibecho -d -z none -m msg /
            -s http://localhost:8080/wsrf/services/SecurityContextEchoService

        Windows:
        > %GRIDSHIB_HOME%/bin/gridshib-saml-issuer
            --user trscavo --sender-vouches
            --config %GRIDSHIB_HOME%/etc/my-saml-issuer.properties
            --authn --x509 --outfile %TEMP%/testcredential.pem
            --authnMethod urn:oasis:names:tc:SAML:1.0:am:password
            --authnInstant 2008-01-24T16:29:18-0600
            --address 255.255.255.255
        > %GRIDSHIB_HOME%/bin/gridshib-saml-info
            --infile %TEMP%/testcredential.pem
        > echo %X509_USER_PROXY%
        > %GLOBUS_LOCATION%/bin/gridshibecho -d -z none
            -s http://localhost:8080/wsrf/services/SecurityContextEchoService
        > %GLOBUS_LOCATION%/bin/gridshibecho -d -z none -m msg
            -s http://localhost:8080/wsrf/services/SecurityContextEchoService

      The first request will fail because it requires transport-level security, which has been disabled in the container. The second request will succeed, however, despite the fact that transport-level security has been disabled, since it uses message-level security as indicated by the -m msg command-line option. In that case, the X.509 certificate chain containing the SAML assertions is passed in the header of the SOAP request.
   3. In a shell window on the server system, stop the insecure container:

        UNIX:
        $ $GLOBUS_LOCATION/bin/globus-stop-container /
            -s http://localhost:8080/wsrf/services/ShutdownService -m msg

        Windows:
        > %GLOBUS_LOCATION%/bin/globus-stop-container
            -s http://localhost:8080/wsrf/services/ShutdownService -m msg

   4. If the above experiment didn't make your jaw drop, you need to go back and do it again ;-)

Configure complex authorization policy

Any given policy file lists zero or more attributes. In the case where more than one attribute is specified in a policy file, policy is satisfied if at least one attribute is satisfied. In other words, a logical OR semantic is applied within a given policy file. To express policy based on a logical AND semantic, a sequence of PDPs may be invoked.

Reconfigure the server system, issue a level 2 proxy credential on the client system, and request the SecurityContextEchoService on the server system:

1. Reconfigure the SecurityContextEchoService on the server system.
   1. In echo-service-security-descriptor.xml, comment out this line

      <authz value="secctxecho:org.globus.gridshib.GridShibPDP"/>

      and uncomment this line

      <authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP
                    secctxecho:org.globus.gridshib.AttributeAcceptancePIP
                    secctxecho:org.globus.gridshib.SAMLBlacklistPDP
                    secctxecho1:org.globus.gridshib.SAMLMapPIP
                    secctxecho2:org.globus.gridshib.SAMLMapPIP
                    secctxecho1:org.globus.gridshib.SAMLAttributePDP
                    secctxecho2:org.globus.gridshib.SAMLAttributePDP
                    secctxecho3:org.globus.gridshib.SAMLAttributePDP"/>

      This enables SAMLAttributePDP three times in the authorization chain. Each invocation of SAMLAttributePDP is associated with its own policy file. (See server-config.wsdd for the corresponding policy file configurations.)
2. Request the SecurityContextEchoService, authenticating with a level 2 proxy credential issued on the client system.
   Previously, an alternate configuration file for the GridShib SAML Tools was created on the client system, which we used to issue a level 1 proxy certificate. This time we will use that same configuration file to issue a level 2 proxy certificate.
   1. In a shell window on the server system, start a secure container. Note how multiple instances of SAMLMapPIP and SAMLAttributePDP initialize in the container logs.
   2. In a shell window on the client system, issue a level 2 proxy:

        UNIX:
        $ $GRIDSHIB_HOME/bin/gridshib-saml-issuer /
            --user trscavo --sender-vouches /
            --config $GRIDSHIB_HOME/etc/my-saml-issuer.properties /
            --authn --x509 --outfile /tmp/level1proxy.pem /
            --authnMethod urn:oasis:names:tc:SAML:1.0:am:password /
            --authnInstant 2008-01-24T16:29:18-0600
        $ $GRIDSHIB_HOME/bin/gridshib-saml-info /
            --infile /tmp/level1proxy.pem
        $ $GRIDSHIB_HOME/bin/gridshib-saml-issuer /
            --user trscavo --sender-vouches /
            --config $GRIDSHIB_HOME/etc/my-other-saml-issuer.properties /
            --x509 --outfile /tmp/level2proxy.pem /
            --properties /
                certLocation=file:///tmp/level1proxy.pem /
                keyLocation=file:///tmp/level1proxy.pem
        $ $GRIDSHIB_HOME/bin/gridshib-saml-info /
            --infile /tmp/level2proxy.pem
        $ export X509_USER_PROXY=/tmp/level2proxy.pem

        Windows:
        > %GRIDSHIB_HOME%/bin/gridshib-saml-issuer
            --user trscavo --sender-vouches
            --config %GRIDSHIB_HOME%/etc/my-saml-issuer.properties
            --authn --x509 --outfile C:/Temp/level1proxy.pem
            --authnMethod urn:oasis:names:tc:SAML:1.0:am:password
            --authnInstant 2008-01-24T16:29:18-0600
        > %GRIDSHIB_HOME%/bin/gridshib-saml-info
            --infile C:/Temp/level1proxy.pem
        > %GRIDSHIB_HOME%/bin/gridshib-saml-issuer
            --user trscavo --sender-vouches
            --config %GRIDSHIB_HOME%/etc/my-other-saml-issuer.properties
            --x509 --outfile C:/Temp/level2proxy.pem
            --properties
                certLocation=file:///C:/Temp/level1proxy.pem
                keyLocation=file:///C:/Temp/level1proxy.pem
        > %GRIDSHIB_HOME%/bin/gridshib-saml-info
            --infile %TEMP%/level2proxy.pem
        > set X509_USER_PROXY=C:/Temp/level2proxy.pem

   3. In a shell window on the client system, request the service as usual (using transport-level security or message-level security, take your pick). You should receive a total of sixteen (16) items in the response: three (3) SAMLIdentity items (one from each certificate), one (1) SAMLAuthnContext item (from the level 1 proxy), five (5) BasicAttribute items (two from the EEC, two from the level 1 proxy, and one from the level 2 proxy), and seven (7) Principal items (three of which are username mappings).
   4. In a shell window on the server system, stop the container.