Chapter 3. Integrating GridShib-SAML-Tools
Prev   Next

Chapter 3. Integrating GridShib-SAML-Tools

You can integrate the GridShib SAML Tools with the GridShib CA in order to include a SAML assertion in the certificates issued by the GridShib-CA. By default this will include the SAML SSO Response provided by Shibboleth though you can configure it to include other attributes as well.

Note that this functionality only works with the OpenSSL version of the GridShib CA (as opposed to the version using MyProxy).

The procedure is as follows. These directions were written for version 0.3.0 of the GridShib SAML Tools:

  1. Install the GridShib SAML Tools.

  2. Make sure $GRIDSHIB_HOME and all of its contents are readable (and executable were appropriate) by the user under which apache runs. (The easiest way is to make the tree owned by that user.)

  3. Edit $GRIDSHIB_HOME/etc/gridshib-saml-issuer.properties and make the following changes:

    1. Set IdP.entityID to the URL that identifies your GridShib-CA installation. Typically this can be the URI which identifies the SP deployment in which the GridShib-CA is deployed.

    2. Change the NameID.Format to urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

    3. Edit the attributes - i.e. lines starting with Attribute.* - you probably just want to comment them out, but if you want to include Attributes for all certificates you issue, this is the place to do it.

    4. Add the following lines, changing the path to point at your GridShib CA's certificate and private key. 

      certLocation=file:/usr/local/gridshib-ca-0.5.2/gridshib-ca-cert.pem
keyLocation=file:/usr/local/gridshib-ca-0.5.2/gridshib-ca-key.pem

  4. Now edit your gridshib-ca.conf file (by default this will be in /usr/local/gridshib-ca-0.5.2) and make the following changes:

    1. Change IncludeSAMLInCert to "True"

    2. Change JavaHome to the path for your JAVA_HOME.

    3. Change GridShibSAMLToolsPath to the path in which you installed the GridShib SAML Tools (a.k.a. GRIDSHIB_HOME).

That should do it. Now when you get certificates back from the GridShib-CA, they will contain a SAML assertion. If you run 'grid-proxy-info -text' you should see a X509v3 extension with an oid of 1.3.6.1.4.1.3536.1.1.1.12.

Prev   Next
Chapter 2. Using MyProxy as the Backend CA Home Chapter 4. Adding CA Certificates for the Web Server