GridShib for Globus Toolkit is a plugin for Globus Toolkit 4 (GT4). See the GridShib web site (http://gridshib.globus.org/) for background information about the GridShib Project.
This document is a supplement to the GridShib for GT v0.4.0 Admin Guide:
http://gridshib.globus.org/docs/admin-index.html
Together these two documents describe how to install and configure this Technology Preview of GridShib for GT v0.4.1.
The software requirements for GridShib for GT v0.4.1 are the same as v0.4.0. See the GridShib Downloads page for general requirements and instructions:
http://gridshib.globus.org/download.html#gridshib-gt
This Technology Preview of GridShib for GT v0.4.1 will query an ordinary Shibboleth Identity Provider version 1.3b or later. The current stable version of the Shibboleth Identity Provider (IdP) is version 1.3c, which is available for download from the Shibboleth web site:
http://shibboleth.internet2.edu/latest.html
Install, configure, and test your IdP deployment according to the published guidelines of the Shibboleth Project:
https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/WebHome
As a final test, download the Shibboleth IdP Tester:
http://gridshib.globus.org/download.html#shib-idp-tester
and run the test outlined in the instructions bundled with the tarball.
IMPORTANT! Do not continue with this installation until your IdP deployment has passed all the tests, including the important Shibboleth IdP Tester test.
Configuring GridShib for GT (below) will be simpler if you produce an IdP metadata file (gridshib-idp-metadata.xml) in advance. Follow the instructions in the METADATA section of the GridShib for Shibboleth installation document:
Use this metadata file in installation step 6 below.
Note: Later versions of this Technology Preview will require GridShib for Shibboleth, a plugin for a Shibboleth IdP.
http://gridshib.globus.org/downloads/gridshib-gt-source-0_4_1-tp1.tar.gz
SAMLAuthnAssertionPIP and ShibbolethPDP classes in the authorization chain. This example shows an echo service's security descriptor with the correct authorization chain configured:
<securityConfig xmlns="http://www.globus.org">
<auth-method>
<GSITransport/>
</auth-method>
<authz
value="shibecho:org.globus.wsrf.impl.security.authorization.SAMLAuthnAssertionPIP
shibecho:org.globus.wsrf.impl.security.authorization.ShibbolethPDP"/>
</securityConfig>
http://gridshib.globus.org/docs/admin-index.html#gt4-config-edit-wsdd
Configure the authorization chain with the necessary parameters. If an IdP metadata file is available (see the Requirements section), do not explicitly configure the IdP's URL, providerId, and certificate information as indicated in section 3.2. In that case, perform the following step as well.http://gridshib.globus.org/docs/admin-index.html#gt4-config-metadata
Use the IdP metadata file (gridshib-idp-metadata.xml) from the Requirements section.A Grid SP consumes the metadata of an entity it trusts. The IdP metadata produced in the Requirements section (gridshib-idp-metadata.xml) is consumed by the Grid SP as a result of the above installation. In general, an IdP administrator produces metadata and distributes it to interested Grid SPs out-of-band.
Likewise, Grid SP metadata is consumed by an IdP willing to provide attributes to the Grid SP. To facilitate the production of Grid SP metadata, a template (gridshib-sp-metadata-template.xml) has been provided:
Perform the following steps to customize and prepare this template for distribution to IdP endpoints:
Repeat steps 4–6 as necessary. Remember, if you subsequently modify gridshib-sp-metadata.xml, it must be signed and distributed anew.
Note: In what follows, $EXTENSION_NAME$ is a placeholder for "test-idp-0_4_4" or whatever version of the IdP Tester you downloaded earlier.
Configure your IdP to work with GridShib for GT v0.4.1 as follows:
<RelyingParty
name="urn:mace:gridshib:metadata:sp"
signingCredential="example_cred">
<NameID nameMapping="email"/>
</RelyingParty>
The value of the name attribute matches attribute /EntitiesDescriptor/@Name in the grid service provider metadata file (gridshib-sp-metadata.xml). The value of the signingCredential attribute must match the FileResolver/@Id attribute in the config file. The RelyingParty element must be adjacent to other RelyingParty elements (since the order of XML elements matters).
<MetadataProvider
type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
uri="file://$IDP_HOME$/etc/$EXTENSION_NAME$/gridshib-sp-metadata.xml"/>
Be sure to substitute placeholders $IDP_HOME$ and $EXTENSION_NAME$ with their actual values.
Download and install the client software:
http://gridshib.globus.org/downloads/gridshib-authn-proxy-client-source-0_1.tar.gz
To generate a proxy certificate with embedded SAML authentication assertion, invoke the 'createproxy' command line program in directory gridshib/x509tools/java/source as follows:
$ createproxy -f Format -i NameQualifier -u NameIdentifier \
-c Path_to_Cert -k Path_to_Key -o Out_Proxy
where
Format is a name identifier format, used as the value of the NameIdentifier/@Format attribute in the authentication assertion. In this case, the desired value is 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'.NameQualifier is the providerId (a URI) of the Shibboleth IdP, used as the value of the NameIdentifier/@NameQualifier attribute.NameIdentifier is the value of the NameIdentifier element in the authentication assertion. In this case, the name identifier is of the form 'user@domain' where user is the principal name of the authenticated user and domain is the value of the NameMapping/@domain attribute configured in idp.xml.Path_to_Cert is the path to certificate from which the proxy should be generated.Path_to_Key is the path to the unencrypted private key corresponding to the certificate.Out_Proxy is the output path for the file to which resulting proxy should be written.