GridShib for Globus Toolkit is a plugin for Globus Toolkit 4 (GT4). See the GridShib web site (http://gridshib.globus.org/) for background information about the GridShib Project.
This document is a supplement to the GridShib for GT v0.4.0 Admin Guide:
Together these two documents describe how to install and configure this Technology Preview of GridShib for GT v0.4.1.
The software requirements for GridShib for GT v0.4.1 are the same as v0.4.0. See the GridShib Downloads page for general requirements and instructions:
This Technology Preview of GridShib for GT v0.4.1 will query an ordinary Shibboleth Identity Provider version 1.3b or later. The current stable version of the Shibboleth Identity Provider (IdP) is version 1.3c, which is available for download from the Shibboleth web site:
Install, configure, and test your IdP deployment according to the published guidelines of the Shibboleth Project:
As a final test, download the Shibboleth IdP Tester:
and run the test outlined in the instructions bundled with the tarball.
IMPORTANT! Do not continue with this installation until your IdP deployment has passed all the tests, including the important Shibboleth IdP Tester test.
Configuring GridShib for GT (below) will be simpler if you produce an IdP metadata file (gridshib-idp-metadata.xml) in advance. Follow the instructions in the METADATA section of the GridShib for Shibboleth installation document:
Use this metadata file in installation step 6 below.
Note: Later versions of this Technology Preview will require GridShib for Shibboleth, a plugin for a Shibboleth IdP.
ShibbolethPDPclasses in the authorization chain. This example shows an echo service's security descriptor with the correct authorization chain configured:
<securityConfig xmlns="http://www.globus.org"> <auth-method> <GSITransport/> </auth-method> <authz value="shibecho:org.globus.wsrf.impl.security.authorization.SAMLAuthnAssertionPIP shibecho:org.globus.wsrf.impl.security.authorization.ShibbolethPDP"/> </securityConfig>
http://gridshib.globus.org/docs/admin-index.html#gt4-config-edit-wsddConfigure the authorization chain with the necessary parameters. If an IdP metadata file is available (see the Requirements section), do not explicitly configure the IdP's URL, providerId, and certificate information as indicated in section 3.2. In that case, perform the following step as well.
http://gridshib.globus.org/docs/admin-index.html#gt4-config-metadataUse the IdP metadata file (gridshib-idp-metadata.xml) from the Requirements section.
A Grid SP consumes the metadata of an entity it trusts. The IdP metadata produced in the Requirements section (gridshib-idp-metadata.xml) is consumed by the Grid SP as a result of the above installation. In general, an IdP administrator produces metadata and distributes it to interested Grid SPs out-of-band.
Likewise, Grid SP metadata is consumed by an IdP willing to provide attributes to the Grid SP. To facilitate the production of Grid SP metadata, a template (gridshib-sp-metadata-template.xml) has been provided:
Perform the following steps to customize and prepare this template for distribution to IdP endpoints:
Repeat steps 4–6 as necessary. Remember, if you subsequently modify gridshib-sp-metadata.xml, it must be signed and distributed anew.
Note: In what follows,
$EXTENSION_NAME$ is a placeholder for "test-idp-0_4_4" or whatever version of the IdP Tester you downloaded earlier.
Configure your IdP to work with GridShib for GT v0.4.1 as follows:
<RelyingParty name="urn:mace:gridshib:metadata:sp" signingCredential="example_cred"> <NameID nameMapping="email"/> </RelyingParty>The value of the
nameattribute matches attribute
/EntitiesDescriptor/@Namein the grid service provider metadata file (gridshib-sp-metadata.xml). The value of the
signingCredentialattribute must match the
FileResolver/@Idattribute in the config file. The
RelyingPartyelement must be adjacent to other
RelyingPartyelements (since the order of XML elements matters).
<MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata" uri="file://$IDP_HOME$/etc/$EXTENSION_NAME$/gridshib-sp-metadata.xml"/>Be sure to substitute placeholders $IDP_HOME$ and $EXTENSION_NAME$ with their actual values.
Download and install the client software:
To generate a proxy certificate with embedded SAML authentication assertion, invoke the 'createproxy' command line program in directory gridshib/x509tools/java/source as follows:
$ createproxy -f Format -i NameQualifier -u NameIdentifier \ -c Path_to_Cert -k Path_to_Key -o Out_Proxy
Formatis a name identifier format, used as the value of the
NameIdentifier/@Formatattribute in the authentication assertion. In this case, the desired value is
NameQualifieris the providerId (a URI) of the Shibboleth IdP, used as the value of the
NameIdentifieris the value of the
NameIdentifierelement in the authentication assertion. In this case, the name identifier is of the form
useris the principal name of the authenticated user and
domainis the value of the
NameMapping/@domainattribute configured in idp.xml.
Path_to_Certis the path to certificate from which the proxy should be generated.
Path_to_Keyis the path to the unencrypted private key corresponding to the certificate.
Out_Proxyis the output path for the file to which resulting proxy should be written.