GridShib for GT v0.6.0 Worksheet
From Globus
These implementation notes in more-or-less chronological order.
Contents |
[edit]
PIP Reorganization
- In directory interceptors/java/source/src-proxies/4.0/org/globus/gridshib:
- refactored
PIPas an abstract class - renamed
MapPIPtoSAMLMapPIP - created
SAMLAssertionPushPIP - created
SAMLQueryPIP
- refactored
- In directory interceptors/java/source/src/org/globus/gridshib/gt/authorization:
- renamed
ShibbolethPIPtoSAMLQueryPIPImpl - renamed
SAMLMapPIPtoSAMLMapPIPImpl - created stub class
SAMLAssertionPushPIPImpl
- renamed
[edit]
PDP Reorganization
- In directory interceptors/java/source/src-proxies/4.0/org/globus/gridshib:
- refactored
PDPas an abstract class - created
SAMLAttributeAcceptancePDP - created
SAMLAttributePDP - created
SAMLBlacklistPDP - created
GridShibPullPDP - created
GridShibPushPDP
- refactored
- In directory interceptors/java/source/src/org/globus/gridshib/gt/authorization:
- created interface
GridShibPDP - renamed
ShibbolethPDPtoGridShibPullPDPImpl - created stub class
GridShibPushPDPImpl - created stub class
SAMLAttributeAcceptancePDPImpl - created stub class
SAMLAttributePDPImpl - created stub class
SAMLBlacklistPDPImpl
- created interface
[edit]
Preliminary Tests
In the code and command lines below, whitespace has been added for readability.
- Added the following authz chain to the security descriptor of the
SecureCounterService:<authz value="counter:org.globus.gridshib.SAMLAssertionPushPIP counter:org.globus.gridshib.SAMLAttributeAcceptancePDP counter:org.globus.gridshib.SAMLAttributePDP"/> - Invoked the
SecureCounterServiceas follows:bin\counter-client -m conv -z none -s https://localhost:8443/wsrf/services/SecureCounterService - Added the following authz chain to the security descriptor of the
ShibEchoService:<authz value="shibecho:org.globus.gridshib.SAMLAssertionPushPIP shibecho:org.globus.gridshib.SAMLAttributeAcceptancePDP shibecho:org.globus.gridshib.SAMLAttributePDP"/> - Invoked the
ShibEchoServiceas follows:bin\shibecho -z none -s https://localhost:8443/wsrf/services/ShibEchoService
[edit]
SAMLAssertionPushPIP
- Added code that processes a SAML assertion for attributes
- For testing purposes, read in a SAML assertion from a file
- Process the SAML Subject, updating the security context with the
NameIdentifierelement - Iterate over the statements in the assertion
- For each AuthenticationStatement, log AuthenticationMethod, AuthenticationInstant, IPAddress, and DNSAddress
- For each AttributeStatement, add each attribute to the security context
- Invoke the ShibEchoService (as above) and get back the following output (with whitespace added for readability):
--------- Response: --------- SAMLAttribute { name='urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName' namespace='urn:mace:shibboleth:1.0:attributeNamespace:uri' value #1=' <saml:NameIdentifier xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> uid=charlie,ou=People,dc=entegrity,dc=com </saml:NameIdentifier>' issuer='http://aaremote.entegrity.com' notBefore='null' notOnOrAfter='null' } SAMLAttribute { name='AssuranceLevel' namespace='http://www.oasis-open.org/RSA2004/attributes' value #1='1' issuer='http://aaremote.entegrity.com' notBefore='null' notOnOrAfter='null' } SAMLAttribute { name='E-mail' namespace='http://www.oasis-open.org/RSA2004/attributes' value #1='charlie@mail.com' issuer='http://aaremote.entegrity.com' notBefore='null' notOnOrAfter='null' } SAMLAttribute { name='MemberLevel' namespace='http://www.oasis-open.org/RSA2004/attributes' value #1='gold' issuer='http://aaremote.entegrity.com' notBefore='null' notOnOrAfter='null' } No usernames - Added code that extracts a SAML assertion from an X.509 certificate
- Load a Trusted SAML Authorities file
- Determine the X.509 certificate to process
- Extract the assertion from the certificate
- Process the assertion (as above)
- Configured the ShibEchoClient with the following security descriptor (echo-client-security-descriptor.xml):
<securityConfig xmlns="http://www.globus.org"> <proxy-file value="c:\temp\testcredential.pem"/> <authz value="none"/> </securityConfig> - Created a proxy certificate with GridShib SAML Tools:
> %GRIDSHIB_HOME%\bin\gridshib-saml-issuer --user trscavo --authn --x509 --outfile c:\temp\testcredential.pem --authnMethod urn:oasis:names:tc:SAML:1.0:am:password --address 255.255.255.255 - Invoked the ShibEchoClient:
> %GLOBUS_LOCATION%\bin\shibecho -d -s https://localhost:8443/wsrf/services/ShibEchoService -f %GLOBUS_LOCATION%\etc\gridshib-gt-echo-0_6_0\echo-client-security-descriptor.xmlwhich returns the following output (whitespace added for readability):--------- Response: --------- SAMLAttribute { name='urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' namespace='urn:mace:shibboleth:1.0:attributeNamespace:uri' value #1=' <NameIdentifier xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" >trscavo</NameIdentifier>' issuer='CN=trscavo@idp.protectnetwork.org, OU=https://idp.protectnetwork.org/protectnetwork-idp, O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu' notBefore='null' notOnOrAfter='null' } SAMLAttribute { name='urn:oid:2.5.4.6' namespace='urn:mace:shibboleth:1.0:attributeNamespace:uri' value #1='US' issuer='CN=trscavo@idp.protectnetwork.org, OU=https://idp.protectnetwork.org/protectnetwork-idp, O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu' notBefore='null' notOnOrAfter='null' } SAMLAttribute { name='urn:oid:1.3.6.1.4.1.5923.1.5.1.1' namespace='urn:mace:shibboleth:1.0:attributeNamespace:uri' value #1='http://www.nanohub.org' issuer='CN=trscavo@idp.protectnetwork.org, OU=https://idp.protectnetwork.org/protectnetwork-idp, O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu' notBefore='null' notOnOrAfter='null' } No usernames
[edit]
Configuration Issue
While implementing the SAMLAssertionPushPIP, I ran into the following issue: The PIP was unable to retrieve the certificate chain of the authenticated client. I finally tracked down the source of the problem: The proxy certificate was faulty (duh), which prevented the client from successfully authenticating to the service.
GridShib for GT assumes the client has been authenticated. Question: How did an unauthenticated request get as far as the authorization engine? I suspect this might be a configuration issue, so here is the client-side config:
<securityConfig xmlns="http://www.globus.org">
<proxy-file value="C:\temp\testcredential.pem"/>
<authz value="none"/>
</securityConfig>
And here is the service-side config:
<securityConfig xmlns="http://www.globus.org">
<auth-method>
<GSITransport/>
</auth-method>
<!-- whitespace added for readability -->
<authz value="shibecho:org.globus.gridshib.SAMLAssertionPushPIP
shibecho:org.globus.gridshib.SAMLAttributeAcceptancePDP
shibecho:org.globus.gridshib.SAMLAttributePDP"/>
</securityConfig>
Are these correct?
[edit]
SAMLutil
- Modified
getCertificateChainso that it never returns null. - Added
getSAMLAttributeInfoandgetSAMLAuthnInfo. - Added code that throws
IllegalArgumentExceptionwhen arguments to methods are null. - Overloaded the
parseAttributemethod. - Added a
parseSubjectmethod.
[edit]
CertUtil
Created a new utility class org.globus.gridshib.gt.authorization.samlpiputils.CertUtil. (This class may be repackaged.)
- Moved methods
getCertificateChain,getEEC, andgetEECIndexto here - Added boolean functions
hasNonCriticalExtensionandhasSAMLExtension - Added boolean function
isImpersonationProxy(X509Certificate)
[edit]
Common Commands
The following commands assume an EEC was previously issued by the GridShib CA:
> REM Copy EEC to well-known location: > copy "%TEMP%\x509up_u_%USERNAME%" c:\temp\testcredential.pem
> REM Copy EEC to cygwin home: > copy "%TEMP%\x509up_u_%USERNAME%" "C:\cygwin\home\%USERNAME%\testeec.pem" $ openssl x509 -text -noout -in testeec.pem $ openssl x509 -noout -subject -nameopt RFC2253 -in testeec.pem
Use the following commands to issue a level 1 proxy (assumes the SAML Tools have been configured to use the default Globus credential, which is an EEC):
> %GRIDSHIB_HOME%\bin\gridshib-saml-issuer --user trscavo
--authn --address 255.255.255.255
--authnMethod urn:oasis:names:tc:SAML:1.0:am:password
--x509 --outfile c:\temp\testcredential.pem
> REM Copy proxy to cygwin home:
> copy c:\temp\testcredential.pem "C:\cygwin\home\%USERNAME%\testproxy.pem"
$ openssl x509 -text -noout -in testproxy.pem
$ openssl x509 -noout -subject -nameopt RFC2253 -in testproxy.pem
Use the following commands to issue a level 2 proxy (assumes the SAML Tools have been configured to use the issuing credential at c:\temp\testcert.pem):
> %GRIDSHIB_HOME%\bin\gridshib-saml-issuer --user trscavo
--authn --address 255.255.255.255
--authnMethod urn:oasis:names:tc:SAML:1.0:am:password
--x509 --outfile c:\temp\testcredential.pem
--config file:/c:/temp/gridshib-saml-issuer.properties
> REM Copy proxy to cygwin home:
> copy c:\temp\testcredential.pem "C:\cygwin\home\%USERNAME%\testproxy.pem"
$ openssl x509 -text -noout -in testproxy.pem
$ openssl x509 -noout -subject -nameopt RFC2253 -in testproxy.pem
Use the following command to request the ShibEchoService:
> %GLOBUS_LOCATION%\bin\shibecho -d
-s https://localhost:8443/wsrf/services/ShibEchoService
-f %GLOBUS_LOCATION%\etc\gridshib-gt-echo-0_6_0\echo-client-security-descriptor.xml
