HoK Assertion Request Profiles
Motivation for the HoK Assertion Request Profiles
December 29, 2008. Posting to the OASIS SSTC Disscusion List
By Tom Scavo (NCSA).
The Virtual Organization Membership Service (VOMS) [1] is the most successful attribute-based authorization framework in the Grid. A traditional VOMS credential is an X.509 attribute certificate [2] bound to an X.509 proxy certificate [3]. Recently, however, VOMS has added a SAML interface [4] to its server implementation.
Meanwhile, the OGSA Authorization Working Group [5], under the auspices of the Open Grid Forum [6], is profiling the authorization decision function of a Grid service provider. There are four documents [7] under consideration within the Authz WG:
- Functional Components of Grid Service Provider Authorisation Service Middleware (pub 6 April 08)
- Use of WS-TRUST and SAML to access a Credential Validation Service (pub 9 July 08)
- Use of XACML Request Context to Obtain an Authorisation Decision (pub 31 Mar 08)
- Use of SAML to retrieve Authorization Credentials (pub 7 April 2008)
The latter specification (aka the "OGSA attribute exchange") profiles a SAML attribute exchange as implemented by the new VOMS SAML interface. The original OGSA attribute exchange profile is based on the SAML V2.0 Deployment Profiles for X.509 Subjects [8], which profiles the case where the requester acts on behalf of the subject and also the case where the requester is the subject (self-query).
When Nate Klingenstein published the SAML V2.0 Holder-of-Key Web Browser SSO Profile [9], it became clear that the self-query use case in the Deployment Profiles for X.509 Subjects was unnecessarily restrictive. Indeed, there are many more SAML deployments based on username/password credentials than there are deployments based on X.509-based PKI, so the OGSA attribute exchange profile (which has already undergone public review) needs to be totally rewritten so that it can leverage the existing installed base of SAML IdPs.
The SAML V2.0 Holder-of-Key Assertion Request Profiles [10] form the basis of the new OGSA attribute exchange profile. In particular, the SAML V2.0 Holder-of-Key Self-Request Profile (section 2 of [10]) describes in general terms how a subject self-issues a SAML request to obtain a holder-of-key assertion. As with the HoK Web Browser SSO Profile, the subject authenticates to the IdP in whatever way is most convenient. For example, the subject can use an existing username/password credential to authenticate to the IdP via HTTP Basic Authentication, WS-Security Username Token Profile, or perhaps even OAuth.
Tom Scavo NCSA
[1] http://www.globus.org/grid_software/security/voms.php
[2] http://www.ietf.org/rfc/rfc3281.txt
[3] http://www.ietf.org/rfc/rfc3820.txt
[4] http://repository.omii-europe.org/downloads/project.jsp?projectid=7
[5] http://forge.gridforum.org/projects/ogsa-authz
[6] http://www.ogf.org/
[7] http://forge.gridforum.org/sf/docman/do/listDocuments/projects.ogsa-authz/docman.root.authz_service?_sortby=documentList(dateLastModified)&_sorder=documentList(desc)
[8] http://wiki.oasis-open.org/security/SstcSaml2X509ProfilesDeploy
[9] http://wiki.oasis-open.org/security/SamlHoKWebSSOProfile
[10] http://wiki.oasis-open.org/security/SAMLHoKAssertionRequest
VOMS: Virtual Organization Membership Service
VOMS is a system for managing authorization data within multi-institutional collaborations. VOMS provides a database of user roles and capabilities and a set of tools for accessing and manipulating the database and using the database contents to generate Grid credentials for users when needed.
The VOMS database contains authorization data that defines specific capabilities and general roles for specific users. A suite of administrative tools allow administrators to assign roles to users and manipulate capability information. A command-line tool (voms-proxy-init) allows users to generate a local proxy credential based on the contents of the VOMS database. This credential includes the basic authenticaiton information that standardGrid proxy credentials contain, but it also includes role and capability information from the VOMS server. Standard Grid applications can use the credential without using the VOMS data, whereas VOMS-aware applications can use the VOMS data to make authentication decisions regarding user requests.
VOMS allows distributed collaborations to centrally manage user roles and capabilities. The VOMS user credentials provide additional role and capability data to application service providers that can then be used to make more fully-informed authorization decisions.
See also the software download web site.
VOMS is a DataGrid Project funded by European Union. The objective of the DataGrid Project is to build the next generation computing infrastructure providing intensive computation and analysis of shared large-scale databases, from hundreds of TeraBytes to PetaBytes, across widely distributed scientific communities...
[Posting source]
Prepared by Robin Cover for The XML Cover Pages archive. See also "Security Assertion Markup Language (SAML)."