GridShib Quick Start
April 30, 2008
This GridShib Quick Start gives detailed instructions for using GridShib for GT v0.6, GridShib SAML Tools v0.3, and GridShib CA v0.5 together on Windows and UNIX systems. The GridShib SAML Tools is a standalone suite of client tools requiring only Java and Ant. GridShib for GT is a plugin for Globus Toolkit (GT). A lightweight alternative to installing the full Globus Toolkit is to install the Java WS Core component of GT and then install GridShib for GT on top of that (see the Getting Started section for details). Finally, we show how to use a public instance of the GridShib CA to bootstrap the X.509 environment on your laptop or desktop.
This Quick Start concentrates on the following deployment scenarios:
In particular, all the examples in the section entitled Configuring GridShib for GT for Attribute Push address the Science Gateway Use Case.
Contents
Getting Started
This Quick Start requires two logical systems: a client system and a server system. The client system presents an X.509 certificate containing an X.509-bound SAML token to a GridShib-protected service running on the server system. Thus a suitable client system should be able to do the following:
- Request an end-entity credential from the GridShib CA using a browser
- Issue a proxy credential using a Java command-line tool provided by the GridShib SAML Tools
- Request a web service using a Java command-line client included in GridShib for GT
At least one of steps 1 or 2 is required to obtain an X.509 certificate containing an X.509-bound SAML token. Using both the GridShib CA and the GridShib SAML Tools demonstrates that SAML information can come from multiple certificates in the presented certificate chain, so a client system that wields a browser is highly desirable.
The client system requires GridShib SAML Tools and GridShib for GT, while the server system requires GridShib for GT only. Since GridShib for GT strictly requires only Java WS Core (as opposed to the full GT software stack), the basic requirements for running a client and a server are fairly lightweight. We provide the following guides to help you install a minimal software stack suitable for this Quick Start:
Some possible deployment scenarios are outlined below:
- Both the client and the server are deployed on a single physical system.
- If the physical system is a Windows laptop or desktop, Java WS Core must be installed (since full GT is not supported on Windows).
- If the physical system is a Mac laptop or desktop, either Java WS Core or full GT may be installed.
- If the physical system is a Linux or UNIX server, typically full GT is installed but Java WS Core is sufficient. Since the GridShib CA is not (easily) leveraged in this case, this isn't an optimal solution for this Quick Start.
- The client and server systems are deployed on separate systems.
- If the client system is a laptop or desktop, the GridShib CA can be used.
- The server system must be running SOAP services in a Globus container on the network.
For the rest of this Quick Start, we assume the client system is a laptop or desktop so that an end-entity credential can be requested from the shib-enabled GridShib CA.
Configuring GridShib for GT for Attribute Push
This section shows how to configure GridShib for GT for attribute push. The requester authenticates to the service by presenting an X.509 certificate chain. One or more certificates in the chain may contain a SAML assertion bound to a non-critical X.509 v3 certificate extension. The security information in the SAML assertion(s) may be used for access control. After the requester is authenticated, the request passes through the authorization chain illustrated below.
As the request passess through the authorization chain, the policy information points (denoted by hexagons in the diagram) populate a security context with the security information gleaned from the SAML assertion(s). If any policy decision point (denoted by diamond shapes above) in the authorization chain returns DENY
, processing is short-circuited and the request is denied. On the other hand, if the request passes through the entire authorization chain such that no policy decision point returns DENY
, the request is permitted.
In what follows, we assume a client system and a server system have been deployed as outlined in the Getting Started section. For convenience, we also assume that both the client and the server are installed on the same system. If this is not the case, be sure to replace localhost
in the commands below with the correct IP address or DNS address of the server system.
This tutorial refers to various configuration files included with GridShib for GT and GridShib SAML Tools:
UNIX: $ export CONFIG_DIR=$GLOBUS_LOCATION/etc/gridshib-gt-echo-0_6_0 $ ls -l $CONFIG_DIR/echo-service-security-descriptor.xml / $CONFIG_DIR/server-config.wsdd / $CONFIG_DIR/blacklist_ip_addresses.txt / $CONFIG_DIR/blacklist_name_ids.txt / $CONFIG_DIR/echo-attr-authz-vo.xml / $CONFIG_DIR/echo-attr-authz-vo-roles.xml / $CONFIG_DIR/echo-attr-authz-c.xml / $CONFIG_DIR/idp-metadata/trusted_authorities_entity_map.txt
Windows: > set CONFIG_DIR=%GLOBUS_LOCATION%/etc/gridshib-gt-echo-0_6_0 > dir %CONFIG_DIR%/echo-service-security-descriptor.xml %CONFIG_DIR%/server-config.wsdd %CONFIG_DIR%/blacklist_ip_addresses.txt %CONFIG_DIR%/blacklist_name_ids.txt %CONFIG_DIR%/echo-attr-authz-vo.xml %CONFIG_DIR%/echo-attr-authz-vo-roles.xml %CONFIG_DIR%/echo-attr-authz-c.xml %CONFIG_DIR%/idp-metadata/trusted_authorities_entity_map.txt
In what follows, we will use short (system independent) filenames when referring to the above configuration files.
Before we get started, create a GridShib SAML Tools configuration properties file:
UNIX: $ su - globus $ echo $HOME /home/globus $ echo /tmp/x509up_u$UID /tmp/x509up_u504 $ cat $GRIDSHIB_HOME/etc/my-saml-issuer.properties # BEGIN my-saml-issuer.properties # SAML NameIdentifier NameID.Format=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified NameID.Format.template=%PRINCIPAL% # FriendlyName="isMemberOf" Attribute.isMemberOf.Namespace=urn:mace:shibboleth:1.0:attributeNamespace:uri Attribute.isMemberOf.Name=urn:oid:1.3.6.1.4.1.5923.1.5.1.1 Attribute.isMemberOf.Value=group://nanohub.org/nanohub group://gisolve.org/gisolve # FriendlyName="countryName" Attribute.countryName.Namespace=urn:mace:shibboleth:1.0:attributeNamespace:uri Attribute.countryName.Name=urn:oid:2.5.4.6 Attribute.countryName.Value=US # X.509 Issuing Credential certLocation=file:///tmp/x509up_u504 keyLocation=file:///tmp/x509up_u504 # END my-saml-issuer.properties
Windows: > echo %USERPROFILE% C:/Documents and Settings/globus > echo %TEMP%/x509up_u_%USERNAME% C:/DOCUME~1/GLOBUS/LOCALS~1/Temp/x509up_u_globus > type %GRIDSHIB_HOME%/etc/my-saml-issuer.properties # BEGIN my-saml-issuer.properties # SAML NameIdentifier NameID.Format=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified NameID.Format.template=%PRINCIPAL% # FriendlyName="isMemberOf" Attribute.isMemberOf.Namespace=urn:mace:shibboleth:1.0:attributeNamespace:uri Attribute.isMemberOf.Name=urn:oid:1.3.6.1.4.1.5923.1.5.1.1 Attribute.isMemberOf.Value=group://nanohub.org/nanohub group://gisolve.org/gisolve # FriendlyName="countryName" Attribute.countryName.Namespace=urn:mace:shibboleth:1.0:attributeNamespace:uri Attribute.countryName.Name=urn:oid:2.5.4.6 Attribute.countryName.Value=US # X.509 Issuing Credential certLocation=file:///C:/Documents%20and%20Settings/globus/Local%20Settings/Temp/x509up_u_globus keyLocation=file:///C:/Documents%20and%20Settings/globus/Local%20Settings/Temp/x509up_u_globus # END my-saml-issuer.properties
In both cases, note that the isMemberOf
attribute is multi-valued and that the two attribute values are separated by a tab character.
The default configuration
Out of the box, the GridShib SecurityContextEchoService
on the server system is configured for attribute push. All requests for SecurityContextEchoService
are intercepted by the SAMLAssertionPushPIP
(PushPIP), which extracts and parses any SAML tokens bound to the presented X.509 certificate chain. The resulting security context is logged but no policy is applied. Indeed, a policy information point (PIP) does not return an access control decision, so the GT 4.0 authorization framework permits access by default.
Issue a level 1 proxy credential on the client system and request the SecurityContextEchoService
on the server system:
- Inspect the configuration of
SecurityContextEchoService
on the server system.By default, theSecurityContextEchoService
is configured for attribute push.- In
echo-service-security-descriptor.xml
, an interceptor calledSAMLAssertionPushPIP
is configured:<authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP"/>
This interceptor consumes any X.509-bound SAML assertions in the presented certificate chain.
- In
- Request the
SecurityContextEchoService
, authenticating with a level 1 proxy credential issued on the client system.To demonstrate attribute push, use the GridShib SAML Tools to issue a proxy certificate signed by the GridShib CA-issued end-entity credential on the client system. The resulting certificate chain will contain two SAML assertions, one bound to the end-entity certificate issued by the GridShib CA and another one bound to the proxy certificate issued by the SAML Tools. A request to theSecurityContextEchoService
will be intercepted by theSAMLAssertionPushPIP
, the assertions will be extracted and parsed, and the results will be echoed back to the requester.- In a shell window on the server system, start a secure container. Note how
SAMLAssertionPushPIP
initializes in the container logs. - In a shell window on the client system, issue a level 1 proxy, set the proxy path, and request the service:
UNIX: $ $GRIDSHIB_HOME/bin/gridshib-saml-issuer / --user trscavo --sender-vouches / --config $GRIDSHIB_HOME/etc/my-saml-issuer.properties / --authn --x509 --outfile /tmp/testcredential.pem / --authnMethod urn:oasis:names:tc:SAML:1.0:am:password / --authnInstant 2008-01-24T16:29:18-0600 $ $GRIDSHIB_HOME/bin/gridshib-saml-info / --infile /tmp/testcredential.pem $ export X509_USER_PROXY=/tmp/testcredential.pem $ $GLOBUS_LOCATION/bin/gridshibecho -d -z none / -s https://localhost:8443/wsrf/services/SecurityContextEchoService
Windows: > %GRIDSHIB_HOME%/bin/gridshib-saml-issuer --user trscavo --sender-vouches --config %GRIDSHIB_HOME%/etc/my-saml-issuer.properties --authn --x509 --outfile %TEMP%/testcredential.pem --authnMethod urn:oasis:names:tc:SAML:1.0:am:password --authnInstant 2008-01-24T16:29:18-0600 > %GRIDSHIB_HOME%/bin/gridshib-saml-info --infile %TEMP%/testcredential.pem > set X509_USER_PROXY=%TEMP%/testcredential.pem > %GLOBUS_LOCATION%/bin/gridshibecho -d -z none -s https://localhost:8443/wsrf/services/SecurityContextEchoService
--------- Response: --------- Principal { name='/DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth User /OU=https://idp.protectnetwork.org/protectnetwork-idp /CN=trscavo@idp.protectnetwork.org' type='Globus' } (untrusted) SAMLIdentity { issuer='CN=trscavo@idp.protectnetwork.org, OU=https://idp.protectnetwork.org/protectnetwork-idp, O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu' nameID='<NameIdentifier xmlns="urn:oasis:names:tc:SAML:1.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"> trscavo </NameIdentifier>' } (untrusted) SAMLIdentity { issuer='https://test-sp.ncsa.uiuc.edu/shibboleth' nameID='<NameIdentifier xmlns="urn:oasis:names:tc:SAML:1.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> CN=trscavo@idp.protectnetwork.org, OU=https://idp.protectnetwork.org/protectnetwork-idp, O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu </NameIdentifier>' } (untrusted) SAMLAuthnContext { issuer='CN=trscavo@idp.protectnetwork.org, OU=https://idp.protectnetwork.org/protectnetwork-idp, O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu' authnMethod='urn:oasis:names:tc:SAML:1.0:am:password' authnInstant='2008-01-24T22:29:18Z' ipAddress='null' dnsName='null' } (untrusted) BasicAttribute { issuer='CN=trscavo@idp.protectnetwork.org, OU=https://idp.protectnetwork.org/protectnetwork-idp, O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu' name='urn:oid:2.5.4.6' nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri' value #1='US' } (untrusted) BasicAttribute { issuer='https://test-sp.ncsa.uiuc.edu/shibboleth' name='http://gridshib.globus.org/testAttribute' nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri' value #1='testValueTwo' value #2='testValue' } (untrusted) BasicAttribute { issuer='https://test-sp.ncsa.uiuc.edu/shibboleth' name='http://gridshib.globus.org/testAttributeTwo' nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri' value #1='testValue' } (untrusted) BasicAttribute { issuer='CN=trscavo@idp.protectnetwork.org, OU=https://idp.protectnetwork.org/protectnetwork-idp, O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu' name='urn:oid:1.3.6.1.4.1.5923.1.5.1.1' nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri' value #1='group://gisolve.org/gisolve' value #2='group://nanohub.org/nanohub' }
You should receive a total of eight (8) items in the response: one (1)Principal
item (representing the authenticated user), two (2)SAMLIdentity
items (one of which is from the GridShib CA-issued EEC), one (1)SAMLAuthnContext
item, and four (4)BasicAttribute
items. Note carefully the issuer of each item. Also note that each item is labeled(untrusted)
since none of the security information has been subjected to policy. - In a shell window on the server system, stop the container.
- In a shell window on the server system, start a secure container. Note how
Configure attribute acceptance policy
The SAMLAssertionPushPIP
logs the security information in the pushed X.509-bound SAML tokens, but since no policy is applied, we say the information is untrusted. Without rendering an access control decision, the AttributeAcceptancePIP
(AAPIP) applies attribute acceptance policy to the security information in the security context. As a result, the untrusted information is filtered from the security context.
Reconfigure both systems, issue a level 1 proxy credential on the client system, and request the SecurityContextEchoService
on the server system:
- Reconfigure the
SecurityContextEchoService
on the server system.By default, theSecurityContextEchoService
is configured to accept all attributes (i.e., no policy is applied). We now expand the authorization chain to include attribute acceptance policy. This policy check is enabled by adding another PIP to the authorization chain.- In
echo-service-security-descriptor.xml
, comment out this line<authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP"/>
and uncomment this line<authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP secctxecho:org.globus.gridshib.AttributeAcceptancePIP"/>
This enablesAttributeAcceptancePIP
in the authorization chain.
- In
- Request the
SecurityContextEchoService
, authenticating with a level 1 proxy credential issued on the client system.TheAttributeAcceptancePIP
introduced in the previous step determines which of the "untrusted" items are in fact trusted (by consulting a list of trusted SAML authorities). Any "untrusted" items remaining are removed from the security context.- In a shell window on the server system, start a secure container. Note how
AttributeAcceptancePIP
initializes in the container logs. - In a shell window on the client system, issue a level 1 proxy, set the proxy path, and request the service:
UNIX: $ $GRIDSHIB_HOME/bin/gridshib-saml-issuer / --user trscavo --sender-vouches / --config $GRIDSHIB_HOME/etc/my-saml-issuer.properties / --authn --x509 --outfile /tmp/testcredential.pem / --authnMethod urn:oasis:names:tc:SAML:1.0:am:password / --authnInstant 2008-01-24T16:29:18-0600 $ $GRIDSHIB_HOME/bin/gridshib-saml-info / --infile /tmp/testcredential.pem $ echo $X509_USER_PROXY $ $GLOBUS_LOCATION/bin/gridshibecho -d -z none / -s https://localhost:8443/wsrf/services/SecurityContextEchoService
Windows: > %GRIDSHIB_HOME%/bin/gridshib-saml-issuer --user trscavo --sender-vouches --config %GRIDSHIB_HOME%/etc/my-saml-issuer.properties --authn --x509 --outfile %TEMP%/testcredential.pem --authnMethod urn:oasis:names:tc:SAML:1.0:am:password --authnInstant 2008-01-24T16:29:18-0600 > %GRIDSHIB_HOME%/bin/gridshib-saml-info --infile %TEMP%/testcredential.pem > echo %X509_USER_PROXY% > %GLOBUS_LOCATION%/bin/gridshibecho -d -z none -s https://localhost:8443/wsrf/services/SecurityContextEchoService
--------- Response: --------- Principal { name='/DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth User /OU=https://idp.protectnetwork.org/protectnetwork-idp /CN=trscavo@idp.protectnetwork.org' type='Globus' } SAMLIdentity { issuer='https://test-sp.ncsa.uiuc.edu/shibboleth' nameID='<NameIdentifier xmlns="urn:oasis:names:tc:SAML:1.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> CN=trscavo@idp.protectnetwork.org, OU=https://idp.protectnetwork.org/protectnetwork-idp, O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu </NameIdentifier>' } Principal { name='CN=trscavo@idp.protectnetwork.org, OU=https://idp.protectnetwork.org/protectnetwork-idp, O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu' type='SAML' } BasicAttribute { issuer='https://test-sp.ncsa.uiuc.edu/shibboleth' name='http://gridshib.globus.org/testAttribute' nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri' value #1='testValueTwo' value #2='testValue' } BasicAttribute { issuer='https://test-sp.ncsa.uiuc.edu/shibboleth' name='http://gridshib.globus.org/testAttributeTwo' nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri' value #1='testValue' }
This time, since the GridShib CA is the only trusted SAML authority on the list (by default), only five (5) items appear in the response: two (2)Principal
items, one (1)SAMLIdentity
item, and two (2)BasicAttribute
items. Note that onePrincipal
item represents the authenticated user (as mentioned in the previous section) while the other four items are a result of the trusted GridShib CA-issued EEC. The remaining items were removed from the security context by theAttributeAcceptancePIP
since they are untrusted.
- In a shell window on the server system, start a secure container. Note how
- Reconfigure the GridShib SAML Tools on the client system.
Every SAML assertion has an issuer, and the assertion embedded in the proxy certificate by the SAML Tools is no exception. By default, the tool sets the SAML Issuer to the X.509 Issuer, that is, the Subject DN of the issuing credential. We now reconfigure the GridShib SAML Tools so that the SAML Issuer is a fixed URI. This URI is called the
entityID
of the SAML issuer.- Add the following lines to
my-saml-issuer.properties
:# Identity Provider entityID IdP.entityID=https://gridshib.example.org/idp
The URI on the righthand side is theentityID
of the SAML issuer. - Obtain the Subject DN of your GridShib CA-issued EEC on the client system:
UNIX: $ $GLOBUS_LOCATION/bin/rfc2253dn
Windows: > %GLOBUS_LOCATION%/bin/rfc2253dn
X.509 Subject DN (Globus): /DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth User /OU=https://idp.protectnetwork.org/protectnetwork-idp /CN=trscavo@idp.protectnetwork.org X.509 Subject DN (RFC 2253): CN=trscavo@idp.protectnetwork.org, OU=https://idp.protectnetwork.org/protectnetwork-idp, O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu X.509 Subject DN (Canonical RFC 2253): cn=#141e7472736361766f406964702e70726f746563746e6574776f726b2e6f7267, ou=https://idp.protectnetwork.org/protectnetwork-idp, o=shibboleth user,dc=#1608636f6d7075746572,dc=#16046e637361, dc=#160475697563,dc=#1603656475
The RFC 2253 form of the Subject DN is required in the following step.
- Add the following lines to
- Configure the
AttributeAcceptancePIP
on the server system.In the current version of GridShib for GT, attribute acceptance policy boils down to a list of trusted SAML authorities. Actually, the PIP consults a file-based mapping of SAML authorities into X.509 authorities. Attributes are accepted from a particular SAML issuer if and only if the issuer'sentityID
maps to an X.509 Issuer DN. By default, the GridShib CA is a trusted SAML authority. We now add the proxy issuer to the list of trusted SAML authorities.- Add the following line to the trusted SAML authorities file
trusted_authorities_entity_map.txt
:https://gridshib.example.org/idp "Subject DN of your EEC"
Be sure to use the RFC 2253 form of your Subject DN from the previous step.
- Add the following line to the trusted SAML authorities file
- Request the
SecurityContextEchoService
again.By virtue of the mapping added totrusted_authorities_entity_map.txt
at the previous step, the service now trusts all the security information in the proxy certificate.- In a shell window on the client system, issue a level 1 proxy exactly as before:
UNIX: $ $GRIDSHIB_HOME/bin/gridshib-saml-issuer / --user trscavo --sender-vouches / --config $GRIDSHIB_HOME/etc/my-saml-issuer.properties / --authn --x509 --outfile /tmp/testcredential.pem / --authnMethod urn:oasis:names:tc:SAML:1.0:am:password / --authnInstant 2008-01-24T16:29:18-0600 $ $GRIDSHIB_HOME/bin/gridshib-saml-info / --infile /tmp/testcredential.pem $ $GLOBUS_LOCATION/bin/gridshibecho -d -z none / -s https://localhost:8443/wsrf/services/SecurityContextEchoService
Windows: > %GRIDSHIB_HOME%/bin/gridshib-saml-issuer --user trscavo --sender-vouches --config %GRIDSHIB_HOME%/etc/my-saml-issuer.properties --authn --x509 --outfile %TEMP%/testcredential.pem --authnMethod urn:oasis:names:tc:SAML:1.0:am:password --authnInstant 2008-01-24T16:29:18-0600 > %GRIDSHIB_HOME%/bin/gridshib-saml-info --infile %TEMP%/testcredential.pem > %GLOBUS_LOCATION%/bin/gridshibecho -d -z none -s https://localhost:8443/wsrf/services/SecurityContextEchoService
You should receive a total of ten (10) items in the response. Eight (8) of these items are exactly the same as before. Two (2) newPrincipal
items have appeared, corresponding to the trustedSAMLIdentity
items. Note that none of the security items are labeled(untrusted)
since, by virtue of theAttributeAcceptancePIP
, all security items have been associated with a trusted SAML issuer. - In a shell window on the server system, stop the container.
- In a shell window on the client system, issue a level 1 proxy exactly as before:
Configure a blacklist
We now introduce our first policy decision point (PDP). The SAMLBlacklistPDP
returns false (DENY
) if (and only if) any of the security information in the security context is on one or more blacklists. GridShib for GT supports two kinds of blacklists: a blacklist of IP addresses and a blacklist of principal name identifiers. If the client IP address of the authenticated user is on the blacklist of IP addresses, the request is denied. Similarly, if the name identifier associated with the authenticated user is on the blacklist of principal name identifiers, the request is denied.
Reconfigure the server system, issue a level 1 proxy credential containing an IP address on the client system, and request the SecurityContextEchoService
on the server system:
- Reconfigure the
SecurityContextEchoService
on the server system.Specific IP addresses and/or principal name identifiers may be blacklisted. Add a blacklist PDP to the authorization chain.- In
echo-service-security-descriptor.xml
, comment out this line<authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP secctxecho:org.globus.gridshib.AttributeAcceptancePIP"/>
and uncomment this line<authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP secctxecho:org.globus.gridshib.AttributeAcceptancePIP secctxecho:org.globus.gridshib.SAMLBlacklistPDP"/>
This enablesSAMLBlacklistPDP
in the authorization chain. - In
server-config.wsdd
, observe the following configuration parameter:<parameter name="secctxecho-blacklistIPAddressesFile" value="GLOBUS_LOCATION/etc/gridshib-gt-echo-0_6_0/blacklist_ip_addresses.txt"/>
This enables IP address blacklisting in theSecurityContextEchoService
.
- In
- Request the
SecurityContextEchoService
, authenticating with a level 1 proxy credential issued on the client system.The IP address of the requester is checked against the blacklist and the request is denied if the IP address is on the list. Since IP address 111.111.111.111 is on the blacklist (blacklist_ip_addresses.txt
), the request is denied.- In a shell window on the server system, start a secure container. Note how
SAMLBlacklistPDP
initializes in the container logs. - In a shell window on the client system, issue a level 1 proxy and request the service:
UNIX: $ $GRIDSHIB_HOME/bin/gridshib-saml-issuer / --user trscavo --sender-vouches / --config $GRIDSHIB_HOME/etc/my-saml-issuer.properties / --authn --x509 --outfile /tmp/testcredential.pem / --authnMethod urn:oasis:names:tc:SAML:1.0:am:password / --authnInstant 2008-01-24T16:29:18-0600 / --address 111.111.111.111 $ $GRIDSHIB_HOME/bin/gridshib-saml-info / --infile /tmp/testcredential.pem $ echo $X509_USER_PROXY $ $GLOBUS_LOCATION/bin/gridshibecho -d -z none / -s https://localhost:8443/wsrf/services/SecurityContextEchoService
Windows: > %GRIDSHIB_HOME%/bin/gridshib-saml-issuer --user trscavo --sender-vouches --config %GRIDSHIB_HOME%/etc/my-saml-issuer.properties --authn --x509 --outfile %TEMP%/testcredential.pem --authnMethod urn:oasis:names:tc:SAML:1.0:am:password --authnInstant 2008-01-24T16:29:18-0600 --address 111.111.111.111 > %GRIDSHIB_HOME%/bin/gridshib-saml-info --infile %TEMP%/testcredential.pem > echo %X509_USER_PROXY% > %GLOBUS_LOCATION%/bin/gridshibecho -d -z none -s https://localhost:8443/wsrf/services/SecurityContextEchoService
Error: org.globus.wsrf.impl.security.authorization.exceptions.AuthorizationException: "/DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth User/OU=entityID/CN=ePPN" is not authorized to use operation: {http://wsrf.globus.org/2005/04/secctxecho}echo on this service
Since the IP address is on the blacklist, the request is denied.
- In a shell window on the server system, start a secure container. Note how
- Request the
SecurityContextEchoService
again.In this case, IP address 255.255.255.255 is not on the blacklist, so the request is permitted.- In a shell window on the client system, issue a different level 1 proxy and request the service:
UNIX: $ $GRIDSHIB_HOME/bin/gridshib-saml-issuer / --user trscavo --sender-vouches / --config $GRIDSHIB_HOME/etc/my-saml-issuer.properties / --authn --x509 --outfile /tmp/testcredential.pem / --authnMethod urn:oasis:names:tc:SAML:1.0:am:password / --authnInstant 2008-01-24T16:29:18-0600 / --address 255.255.255.255 $ $GRIDSHIB_HOME/bin/gridshib-saml-info / --infile /tmp/testcredential.pem $ echo $X509_USER_PROXY $ $GLOBUS_LOCATION/bin/gridshibecho -d -z none / -s https://localhost:8443/wsrf/services/SecurityContextEchoService
Windows: > %GRIDSHIB_HOME%/bin/gridshib-saml-issuer --user trscavo --sender-vouches --config %GRIDSHIB_HOME%/etc/my-saml-issuer.properties --authn --x509 --outfile %TEMP%/testcredential.pem --authnMethod urn:oasis:names:tc:SAML:1.0:am:password --authnInstant 2008-01-24T16:29:18-0600 --address 255.255.255.255 > %GRIDSHIB_HOME%/bin/gridshib-saml-info --infile %TEMP%/testcredential.pem > echo %X509_USER_PROXY% > %GLOBUS_LOCATION%/bin/gridshibecho -d -z none -s https://localhost:8443/wsrf/services/SecurityContextEchoService
As before, you should receive a total of ten (10) items in the response: two (2)SAMLIdentity
items, one (1)SAMLAuthnContext
item, four (4)BasicAttribute
items, and three (3)Principal
items. Note that theSAMLAuthnContext
item contains the IP address 255.255.255.255 previously embedded in the proxy.
- In a shell window on the client system, issue a different level 1 proxy and request the service:
- Request the
SecurityContextEchoService
again.This time we will deny access based on the name identifier in a bound SAML assertion.- In
server-config.wsdd
, observe the following configuration parameter:<parameter name="secctxecho-blacklistNameIdentifiersFile" value="GLOBUS_LOCATION/etc/gridshib-gt-echo-0_6_0/blacklist_name_ids.txt"/>
This enables name identifier blacklisting in theSecurityContextEchoService
. - In file
blacklist_name_ids.txt
, uncomment the following name identifier:trscavo
This name identifier is in fact one of two name identifiers asserted in the two X.509-bound SAML assertions in the certificate chain. - Repeat the request from the previous step:
UNIX: $ echo $X509_USER_PROXY $ $GLOBUS_LOCATION/bin/gridshibecho -d -z none / -s https://localhost:8443/wsrf/services/SecurityContextEchoService
Windows: > echo %X509_USER_PROXY% > %GLOBUS_LOCATION%/bin/gridshibecho -d -z none -s https://localhost:8443/wsrf/services/SecurityContextEchoService
Error: org.globus.wsrf.impl.security.authorization.exceptions.AuthorizationException: "/DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth User/OU=entityID/CN=ePPN" is not authorized to use operation: {http://wsrf.globus.org/2005/04/secctxecho}echo on this service
Since the name identifier is on the blacklist, the request is denied.
- In
- Request the
SecurityContextEchoService
again.The blacklisted name identifier at the previous step is not globally unique, and therefore may not be appropriate in all deployment scenarios. A DN, on the other hand, is globally unique and is therefore a good candidate for blacklisting.- In file
blacklist_name_ids.txt
, comment out this line#trscavo
and uncomment this lineCN=ePPN,OU=entityID,O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu
whereePPN
andentityID
are particular identifiers associated with the user and the identity provider, respectively. In my case,ePPN
istrscavo@idp.protectnetwork.org
andentityID
ishttps://idp.protectnetwork.org/protectnetwork-idp
. Your mileage may vary of course. - Repeat the request from the previous step. The request should fail as before (but for a different reason).
- Comment out all the lines in the blacklist file and issue the request again. This time the request should not fail.
- In a shell window on the server system, stop the container.
- In file
Configure attribute mapping
Some grid resources (e.g., GRAM) require a local username. Given a username, the job executes in the environment of the corresponding user on the server system. Traditionally, the local username is obtained from the gridmap file, a mapping from X.509 Subject DNs to local usernames.
GridShib augments (or even replaces) the gridmap file. Instead of mapping DNs to usernames, GridShib maps user attributes to usernames. The mapping is contained in an attributed-based username mapping policy file (attributeMappingPolicyFile
). The SAMLMapPIP
combines the attributes in the security context with the mapping policy in the file and adds the resulting usernames to the security context.
Reconfigure the server system, issue a level 1 proxy credential on the client system, and request the SecurityContextEchoService
on the server system:
- Reconfigure the
SecurityContextEchoService
on the server system.SAML attributes may be mapped to local usernames (much like DNs are mapped to usernames in the grid-mapfile). The mappings are defined in policy files configured in the service descriptor (server-config.wsdd
) on the server system.- In
echo-service-security-descriptor.xml
, comment out this line<authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP secctxecho:org.globus.gridshib.AttributeAcceptancePIP secctxecho:org.globus.gridshib.SAMLBlacklistPDP"/>
and uncomment this line<authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP secctxecho:org.globus.gridshib.AttributeAcceptancePIP secctxecho:org.globus.gridshib.SAMLBlacklistPDP secctxecho:org.globus.gridshib.SAMLMapPIP"/>
This enablesSAMLMapPIP
in the authorization chain. - In
server-config.wsdd
, observe the following configuration parameter:<parameter name="secctxecho-attributeMappingPolicyFile" value="GLOBUS_LOCATION/etc/gridshib-gt-echo-0_6_0/echo-attr-authz-vo.xml"/>
This associates a policy file for attribute-based mapping in theSecurityContextEchoService
.
- In
- Request the
SecurityContextEchoService
again.If the particular attribute that authorizes access has one or more usernames associated with it, those usernames are added to the security context. (The policy fileecho-attr-authz-vo.xml
on the server system contains the relevant mappings.)- In a shell window on the server system, start a secure container. Note how
SAMLMapPIP
initializes in the container logs. - In a shell window on the client system, use the level 1 proxy from the previous exercise (assuming it's still valid) to request the service:
UNIX: $ echo $X509_USER_PROXY $ $GLOBUS_LOCATION/bin/gridshibecho -d -z none / -s https://localhost:8443/wsrf/services/SecurityContextEchoService
Windows: > echo %X509_USER_PROXY% > %GLOBUS_LOCATION%/bin/gridshibecho -d -z none -s https://localhost:8443/wsrf/services/SecurityContextEchoService
--------- Response: --------- Principal { name='/DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth User /OU=https://idp.protectnetwork.org/protectnetwork-idp /CN=trscavo@idp.protectnetwork.org' type='Globus' } Principal { name='trscavo' type='SAML' } Principal { name='CN=trscavo@idp.protectnetwork.org, OU=https://idp.protectnetwork.org/protectnetwork-idp, O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu' type='SAML' } SAMLIdentity { issuer='CN=trscavo@idp.protectnetwork.org, OU=https://idp.protectnetwork.org/protectnetwork-idp, O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu' nameID='<NameIdentifier xmlns="urn:oasis:names:tc:SAML:1.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"> trscavo </NameIdentifier>' } SAMLIdentity { issuer='https://test-sp.ncsa.uiuc.edu/shibboleth' nameID='<NameIdentifier xmlns="urn:oasis:names:tc:SAML:1.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> CN=trscavo@idp.protectnetwork.org, OU=https://idp.protectnetwork.org/protectnetwork-idp, O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu </NameIdentifier>' } SAMLAuthnContext { issuer='CN=trscavo@idp.protectnetwork.org, OU=https://idp.protectnetwork.org/protectnetwork-idp, O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu' authnMethod='urn:oasis:names:tc:SAML:1.0:am:password' authnInstant='2008-01-24T22:29:18Z' ipAddress='255.255.255.255' dnsName='null' } BasicAttribute { issuer='CN=trscavo@idp.protectnetwork.org, OU=https://idp.protectnetwork.org/protectnetwork-idp, O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu' name='urn:oid:2.5.4.6' nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri' value #1='US' } BasicAttribute { issuer='https://test-sp.ncsa.uiuc.edu/shibboleth' name='http://gridshib.globus.org/testAttribute' nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri' value #1='testValueTwo' value #2='testValue' } BasicAttribute { issuer='https://test-sp.ncsa.uiuc.edu/shibboleth' name='http://gridshib.globus.org/testAttributeTwo' nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri' value #1='testValue' } BasicAttribute { issuer='CN=trscavo@idp.protectnetwork.org, OU=https://idp.protectnetwork.org/protectnetwork-idp, O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu' name='urn:oid:1.3.6.1.4.1.5923.1.5.1.1' nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri' value #1='group://gisolve.org/gisolve' value #2='group://nanohub.org/nanohub' } Principal { name='nanohub' type='UserName' } Principal { name='gisolve' type='UserName' }
You should receive a total of twelve (12) items in the response: two (2)SAMLIdentity
items, one (1)SAMLAuthnContext
item, four (4)BasicAttribute
items, and five ()Principal
items. The two newPrincipal
items are usernames mapped to attributes in the policy file (echo-attr-authz-vo.xml
). - In a shell window on the server system, stop the container.
- In a shell window on the server system, start a secure container. Note how
Configure attribute-based authorization policy
We add a second PDP to the authorization chain, which completes the configuration of attribute-based authorization based on attribute push. The SAMLAttributePDP
returns true (PERMIT
) if (and only if) attribute-based authorization policy (in parameter attributeAuthzPolicyFile
) is satisfied.
Reconfigure both systems, issue a level 1 proxy credential on the client system, and request the SecurityContextEchoService
on the server system:
- Reconfigure the
SecurityContextEchoService
on the server system.We now configure attribute-based authorization policy, the most important policy check of all.- In echo-service-security-descriptor.xml, comment out this line
<authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP secctxecho:org.globus.gridshib.AttributeAcceptancePIP secctxecho:org.globus.gridshib.SAMLBlacklistPDP secctxecho:org.globus.gridshib.SAMLMapPIP"/>
and uncomment this line<authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP secctxecho:org.globus.gridshib.AttributeAcceptancePIP secctxecho:org.globus.gridshib.SAMLBlacklistPDP secctxecho:org.globus.gridshib.SAMLMapPIP secctxecho:org.globus.gridshib.SAMLAttributePDP"/>
This enablesSAMLAttributePDP
in the authorization chain. - In
server-config.wsdd
, comment out the following configuration parameter<!--<parameter name="secctxecho-attributeMappingPolicyFile" value="GLOBUS_LOCATION/etc/gridshib-gt-echo-0_6_0/echo-attr-authz-vo.xml"/>-->
and observe the following (related) configuration parameter:<parameter name="secctxecho-attributeAuthzPolicyFile" value="GLOBUS_LOCATION/etc/gridshib-gt-echo-0_6_0/echo-attr-authz-vo.xml"/>
Commenting out theattributeMappingPolicyFile
parameter causes theSAMLMapPIP
to fall back on theattributeAuthzPolicyFile
parameter. This associates a single policy file with both attribute-based mapping (SAMLMapPIP
) and attribute-based authorization (SAMLAttributePDP
) in theSecurityContextEchoService
.
- In echo-service-security-descriptor.xml, comment out this line
- Reconfigure the GridShib SAML Tools on the client system.
- Create a custom configuration file (
my-other-saml-issuer.properties
) in directory$GRIDSHIB_HOME/etc
(or%GRIDSHIB_HOME%/etc
on Windows):# BEGIN my-other-saml-issuer.properties # Identity Provider entityID IdP.entityID=https://gridshib.example.org/idp # SAML NameIdentifier (formatted as eduPersonPrincipalName) NameID.Format=urn:oid:1.3.6.1.4.1.5923.1.1.1.6 NameID.Format.template=%PRINCIPAL%@example.org # FriendlyName="eduPersonEntitlement" Attribute.ROLE.Namespace=urn:mace:shibboleth:1.0:attributeNamespace:uri Attribute.ROLE.Name=urn:oid:1.3.6.1.4.1.5923.1.1.1.7 Attribute.ROLE.Value=http://www.teragrid.org/names/roles/admin # END my-other-saml-issuer.properties
- Create a custom configuration file (
- Request the
SecurityContextEchoService
, authenticating with a level 1 proxy credential issued on the client system.Using the above configuration file, we will issue a level 1 proxy certificate that does not contain one of the required attributes as specified by policy fileecho-attr-authz-vo.xml
on the server system. As a result, the request will fail.- In a shell window on the server system, start a secure container. Note how
SAMLAttributePDP
initializes in the container logs. - In a shell window on the client system, issue a level 1 proxy and request the service:
UNIX: $ cp /tmp/x509up_u$UID /tmp/mycredential.pem $ $GRIDSHIB_HOME/bin/gridshib-saml-issuer / --user trscavo --sender-vouches / --config $GRIDSHIB_HOME/etc/my-other-saml-issuer.properties / --authn --x509 --outfile /tmp/testcredential.pem / --authnMethod urn:oasis:names:tc:SAML:1.0:am:password / --authnInstant 2008-01-24T16:29:18-0600 / --properties / certLocation=file:///tmp/mycredential.pem / keyLocation=file:///tmp/mycredential.pem $ $GRIDSHIB_HOME/bin/gridshib-saml-info / --infile /tmp/testcredential.pem $ echo $X509_USER_PROXY $ $GLOBUS_LOCATION/bin/gridshibecho -d -z none / -s https://localhost:8443/wsrf/services/SecurityContextEchoService
Windows: > copy "%TEMP%/x509up_u_%USERNAME%" C:/Temp/mycredential.pem > %GRIDSHIB_HOME%/bin/gridshib-saml-issuer --user trscavo --sender-vouches --config %GRIDSHIB_HOME%/etc/my-other-saml-issuer.properties --authn --x509 --outfile %TEMP%/testcredential.pem --authnMethod urn:oasis:names:tc:SAML:1.0:am:password --authnInstant 2008-01-24T16:29:18-0600 --properties certLocation=file:///C:/Temp/mycredential.pem keyLocation=file:///C:/Temp/mycredential.pem > %GRIDSHIB_HOME%/bin/gridshib-saml-info --infile %TEMP%/testcredential.pem > echo %X509_USER_PROXY% > %GLOBUS_LOCATION%/bin/gridshibecho -d -z none -s https://localhost:8443/wsrf/services/SecurityContextEchoService
Error: org.globus.wsrf.impl.security.authorization.exceptions.AuthorizationException: "/DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth User/OU=entityID/CN=ePPN" is not authorized to use operation: {http://wsrf.globus.org/2005/04/secctxecho}echo on this service
Since the supplied attribute does not satisfy policy (echo-attr-authz-vo.xml
), the request is denied. - In a shell window on the server system, stop the container.
- In a shell window on the server system, start a secure container. Note how
- Request the
SecurityContextEchoService
again.This time we will present a proxy certificate with at least one attribute that satisfies policy.- In
echo-service-security-descriptor.xml
, modify the authorization chain slightly as follows:<authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP secctxecho:org.globus.gridshib.AttributeAcceptancePIP secctxecho:org.globus.gridshib.SAMLBlacklistPDP secctxecho2:org.globus.gridshib.SAMLMapPIP secctxecho2:org.globus.gridshib.SAMLAttributePDP"/>
This reconfiguresSAMLAttributePDP
to depend on a different policy file:<parameter name="secctxecho2-attributeAuthzPolicyFile" value="GLOBUS_LOCATION/etc/gridshib-gt-echo-0_6_0/echo-attr-authz-vo-roles.xml"/>
If you inspect the above policy file (echo-attr-authz-vo-roles.xml
), you'll see that the attribute previously bound to the proxy certificate does in fact satisfy policy. - In a shell window on the server system, start a secure container.
- In a shell window on the client system, request the service as before:
UNIX: $ echo $X509_USER_PROXY $ $GLOBUS_LOCATION/bin/gridshibecho -d -z none / -s https://localhost:8443/wsrf/services/SecurityContextEchoService
Windows: > echo %X509_USER_PROXY% > %GLOBUS_LOCATION%/bin/gridshibecho -d -z none -s https://localhost:8443/wsrf/services/SecurityContextEchoService
--------- Response: --------- Principal { name='/DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth User/ OU=https://idp.protectnetwork.org/protectnetwork-idp/ CN=trscavo@idp.protectnetwork.org' type='Globus' } SAMLIdentity { issuer='https://gridshib.example.org/idp' nameID='<NameIdentifier xmlns="urn:oasis:names:tc:SAML:1.0:assertion" Format="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"> trscavo@example.org </NameIdentifier>' } SAMLIdentity { issuer='https://test-sp.ncsa.uiuc.edu/shibboleth' nameID='<NameIdentifier xmlns="urn:oasis:names:tc:SAML:1.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> CN=trscavo@idp.protectnetwork.org, OU=https://idp.protectnetwork.org/protectnetwork-idp, O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu </NameIdentifier>' } Principal { name='trscavo@example.org' type='SAML' } Principal { name='CN=trscavo@idp.protectnetwork.org, OU=https://idp.protectnetwork.org/protectnetwork-idp, O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu' type='SAML' } SAMLAuthnContext { issuer='https://gridshib.example.org/idp' authnMethod='urn:oasis:names:tc:SAML:1.0:am:password' authnInstant='2008-01-24T22:29:18Z' ipAddress='null' dnsName='null' } BasicAttribute { issuer='https://test-sp.ncsa.uiuc.edu/shibboleth' name='http://gridshib.globus.org/testAttribute' nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri' value #1='testValueTwo' value #2='testValue' } BasicAttribute { issuer='https://test-sp.ncsa.uiuc.edu/shibboleth' name='http://gridshib.globus.org/testAttributeTwo' nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri' value #1='testValue' } BasicAttribute { issuer='https://gridshib.example.org/idp' name='urn:oid:1.3.6.1.4.1.5923.1.1.1.7' nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri' value #1='http://www.teragrid.org/names/roles/admin' } Principal { name='tg-admin' type='UserName' }
This time policy is satisfied (echo-attr-authz-vo-roles.xml
).
- In
- In a shell window on the server system, stop the container.
Configure a combined interceptor
To provide a more elegant and flexible configuration, GridShib for GT exposes a combined interceptor called GridShibPDP
that includes all the functionality discussed thus far (and more).
Reconfigure the server system, issue a level 1 proxy credential on the client system, and request the SecurityContextEchoService
on the server system:
- Reconfigure the
SecurityContextEchoService
on the server system.A combined interceptor (sometimes called a master PDP) controls other PIPs and PDPs. For example, a PDP calledGridShibPDP
is functionally equivalent to the authorization chain configured in the previous section. (Actually,GridShibPDP
does much, much more.)- In echo-service-security-descriptor.xml, comment out this line
<authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP secctxecho:org.globus.gridshib.AttributeAcceptancePIP secctxecho:org.globus.gridshib.SAMLBlacklistPDP secctxecho:org.globus.gridshib.SAMLMapPIP secctxecho:org.globus.gridshib.SAMLAttributePDP"/>
and uncomment this line<authz value="secctxecho:org.globus.gridshib.GridShibPDP"/>
This enables the combined interceptorGridShibPDP
.
- In echo-service-security-descriptor.xml, comment out this line
- Request the
SecurityContextEchoService
, authenticating with a level 1 proxy credential via Secure Message.Since the end result of the combined interceptor is the same, this is a good time to introduce a new topic: message-level security. All of the previous requests defaulted to transport-level security, that is, the certificate chain containing the SAML assertions is passed via an ordinary TLS handshake. To pass the SAML assertions at the message level (i.e., in the header of the SOAP message), all that's needed is a simple command-line switch that causes the client to use WS-Security X.509 Certificate Token Profile to transmit the certificate chain along with the bound SAML assertions to the container.- In a shell window on the server system, start an insecure container:
UNIX: $ $GLOBUS_LOCATION/bin/globus-start-container -nosec
Windows: > %GLOBUS_LOCATION%/bin/globus-start-container -nosec
This disables transport-level security in the container. - In a shell window on the client system, request the service in two different ways:
UNIX: $ $GRIDSHIB_HOME/bin/gridshib-saml-issuer / --user trscavo --sender-vouches / --config $GRIDSHIB_HOME/etc/my-saml-issuer.properties / --authn --x509 --outfile /tmp/testcredential.pem / --authnMethod urn:oasis:names:tc:SAML:1.0:am:password / --authnInstant 2008-01-24T16:29:18-0600 / --address 255.255.255.255 $ $GRIDSHIB_HOME/bin/gridshib-saml-info / --infile /tmp/testcredential.pem $ echo $X509_USER_PROXY $ $GLOBUS_LOCATION/bin/gridshibecho -d -z none / -s http://localhost:8080/wsrf/services/SecurityContextEchoService $ $GLOBUS_LOCATION/bin/gridshibecho -d -z none -m msg / -s http://localhost:8080/wsrf/services/SecurityContextEchoService
Windows: > %GRIDSHIB_HOME%/bin/gridshib-saml-issuer --user trscavo --sender-vouches --config %GRIDSHIB_HOME%/etc/my-saml-issuer.properties --authn --x509 --outfile %TEMP%/testcredential.pem --authnMethod urn:oasis:names:tc:SAML:1.0:am:password --authnInstant 2008-01-24T16:29:18-0600 --address 255.255.255.255 > %GRIDSHIB_HOME%/bin/gridshib-saml-info --infile %TEMP%/testcredential.pem > echo %X509_USER_PROXY% > %GLOBUS_LOCATION%/bin/gridshibecho -d -z none -s http://localhost:8080/wsrf/services/SecurityContextEchoService > %GLOBUS_LOCATION%/bin/gridshibecho -d -z none -m msg -s http://localhost:8080/wsrf/services/SecurityContextEchoService
The first request will fail because it requires transport-level security, which has been disabled in the container. The second request will succeed, however, despite the fact that transport-level security has been disabled, since it uses message-level security as indicated by the-m msg
command-line option. In that case, the X.509 certificate chain containing the SAML assertions is passed in the header of the SOAP request. - In a shell window on the server system, stop the insecure container:
UNIX: $ $GLOBUS_LOCATION/bin/globus-stop-container / -s http://localhost:8080/wsrf/services/ShutdownService -m msg
Windows: > %GLOBUS_LOCATION%/bin/globus-stop-container -s http://localhost:8080/wsrf/services/ShutdownService -m msg
- If the above experiment didn't make your jaw drop, you need to go back and do it again ;-)
- In a shell window on the server system, start an insecure container:
Configure complex authorization policy
Any given policy file lists zero or more attributes. In the case where more than one attribute is specified in a policy file, policy is satisfied if at least one attribute is satisfied. In other words, a logical OR
semantic is applied within a given policy file. To express policy based on a logical AND
semantic, a sequence of PDPs may be invoked.
Reconfigure the server system, issue a level 2 proxy credential on the client system, and request the SecurityContextEchoService
on the server system:
- Reconfigure the
SecurityContextEchoService
on the server system.- In
echo-service-security-descriptor.xml
, comment out this line<authz value="secctxecho:org.globus.gridshib.GridShibPDP"/>
and uncomment this line<authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP secctxecho:org.globus.gridshib.AttributeAcceptancePIP secctxecho:org.globus.gridshib.SAMLBlacklistPDP secctxecho1:org.globus.gridshib.SAMLMapPIP secctxecho2:org.globus.gridshib.SAMLMapPIP secctxecho1:org.globus.gridshib.SAMLAttributePDP secctxecho2:org.globus.gridshib.SAMLAttributePDP secctxecho3:org.globus.gridshib.SAMLAttributePDP"/>
This enablesSAMLAttributePDP
three times in the authorization chain. Each invocation ofSAMLAttributePDP
is associated with its own policy file. (Seeserver-config.wsdd
for the corresponding policy file configurations.)
- In
- Request the
SecurityContextEchoService
, authenticating with a level 2 proxy credential issued on the client system.Previously, an alternate configuration file for the GridShib SAML Tools was created on the client system, which we used to issue a level 1 proxy certificate. This time we will use that same configuration file to issue a level 2 proxy certificate.- In a shell window on the server system, start a secure container. Note how multiple instances of
SAMLMapPIP
andSAMLAttributePDP
initialize in the container logs. - In a shell window on the client system, issue a level 2 proxy:
UNIX: $ $GRIDSHIB_HOME/bin/gridshib-saml-issuer / --user trscavo --sender-vouches / --config $GRIDSHIB_HOME/etc/my-saml-issuer.properties / --authn --x509 --outfile /tmp/level1proxy.pem / --authnMethod urn:oasis:names:tc:SAML:1.0:am:password / --authnInstant 2008-01-24T16:29:18-0600 $ $GRIDSHIB_HOME/bin/gridshib-saml-info / --infile /tmp/level1proxy.pem $ $GRIDSHIB_HOME/bin/gridshib-saml-issuer / --user trscavo --sender-vouches / --config $GRIDSHIB_HOME/etc/my-other-saml-issuer.properties / --x509 --outfile /tmp/level2proxy.pem / --properties / certLocation=file:///tmp/level1proxy.pem / keyLocation=file:///tmp/level1proxy.pem $ $GRIDSHIB_HOME/bin/gridshib-saml-info / --infile /tmp/level2proxy.pem $ export X509_USER_PROXY=/tmp/level2proxy.pem
Windows: > %GRIDSHIB_HOME%/bin/gridshib-saml-issuer --user trscavo --sender-vouches --config %GRIDSHIB_HOME%/etc/my-saml-issuer.properties --authn --x509 --outfile C:/Temp/level1proxy.pem --authnMethod urn:oasis:names:tc:SAML:1.0:am:password --authnInstant 2008-01-24T16:29:18-0600 > %GRIDSHIB_HOME%/bin/gridshib-saml-info --infile C:/Temp/level1proxy.pem > %GRIDSHIB_HOME%/bin/gridshib-saml-issuer --user trscavo --sender-vouches --config %GRIDSHIB_HOME%/etc/my-other-saml-issuer.properties --x509 --outfile C:/Temp/level2proxy.pem --properties certLocation=file:///C:/Temp/level1proxy.pem keyLocation=file:///C:/Temp/level1proxy.pem > %GRIDSHIB_HOME%/bin/gridshib-saml-info --infile %TEMP%/level2proxy.pem > set X509_USER_PROXY=C:/Temp/level2proxy.pem
- In a shell window on the client system, request the service as usual (using transport-level security or message-level security, take your pick). You should receive a total of sixteen (16) items in the response: three (3)
SAMLIdentity
items (one from each certificate), one (1)SAMLAuthnContext
item (from the level 1 proxy), five (5)BasicAttribute
items (two from the EEC, two from the level 1 proxy, and one from the level 2 proxy), and seven (7)Principal
items (three of which are username mappings). - In a shell window on the server system, stop the container.
- In a shell window on the server system, start a secure container. Note how multiple instances of