GridShib SAML Tools
Version 0.4.1 (June 7, 2008)

Welcome to GridShib!

GridShib is an NSF-funded project to allow interoperability between Globus Toolkit^® and Shibboleth.^® Visit the GridShib web site (http://gridshib.globus.org/) for more information about the GridShib Project.

GridShib distributes four software components:

1. GridShib for Globus Toolkit
2. GridShib for Shibboleth
3. GridShib Certificate Authority
4. GridShib SAML Tools

These software components help bridge the gap between SAML federations based on Shibboleth and Grid federations based on Globus Toolkit. Visit the GridShib Deployment Scenarios page to see how the various GridShib components might be used.

Overview

The GridShib SAML Tools bind arbitrary content to a non-critical extension of an X.509 proxy certificate. In particular, the SAML Tools issue or request SAML assertions and optionally bind these assertions to X.509 proxy certificates.

Important features of the GridShib SAML Tools include:

• easy installation and flexible configuration
• command-line interface with shell script wrappers (UNIX and Windows)
• multiple output options (SAML, X.509 proxy credential, DER-encoded ASN.1)
• includes GridShib Common, a Java API for portal developers
• leverages the Globus SAML Library, an enhanced version of OpenSAML 1.1

The GridShib SAML Tools consists of the following subcomponents:

1. SAML Security Info Tool
2. X.509 Binding Tool
3. SAML Assertion Issuer Tool
4. SAML Query Client
5. GridShib Common
6. Globus SAML Library

The SAML Security Info Tool inspects a Globus credential for bound SAML content. It takes a path to a Globus credential on the command line and prints the SAML security information contained in that credential.

The X.509 Binding Tool is a general tool for binding arbitrary content to a non-critical extension of an X.509 proxy certificate. Examples of such content include a SAML assertion, an XACML policy, or any other DER-encoded content provided in ASN.1 format.

The SAML Assertion Issuer Tool self-issues a SAML assertion and optionally binds this assertion to an X.509 proxy certificate. The assertion can include up to two statements (an AuthenticationStatement and/or an AttributeStatement). A significant feature of this tool is its ability to leverage a fully configured Shibboleth attribute resolver (to be bundled with a later version of this software).

The SAML Query Client queries a SAML Attribute Authority (AA) for attributes. The Client validates the SAML Response and outputs the attribute assertion. Like the SAML Assertion Issuer Tool, the SAML Query Client optionally binds this assertion to an X.509 proxy certificate. (A fully integrated version of the SAML Query Client will be bundled with a later version of this software.)

GridShib Common is an API for Java developers, packaged as a JAR file and distributed with the SAML Tools. GridShib Common includes the GridShib Security Framework, an API for producing and consuming X.509-bound SAML tokens. Portal developers, for example, can use GridShib Common to introduce SAML into the portal's grid security infrastructure.

The Globus SAML Library is an enhanced version of OpenSAML 1.1. The Library supports the following OASIS Standards:

• Metadata Profile for the OASIS Security Assertion Markup Language (SAML) V1.x
• Metadata Extension for SAML V2.0 and V1.x Query Requesters

The Globus SAML Library also conforms to the OASIS Subject-based Profiles for SAML V1.1 Assertions.

Download

You can download the GridShib SAML Tools (GS-ST) software distribution from the GridShib Downloads page:

GS-ST Download

Download the software in GZIP or ZIP format, or browse the online CVS repository.
http://gridshib.globus.org/download.html#saml-tools

Please review the licensing terms of the GridShib License before using this software. GridShib is licensed under the Apache License, Version 2.0. Additional licensing information will be found on the GridShib Downloads page.

Documentation

Available documentation for the GridShib SAML Tools (GS-ST) includes the following:

GS-ST Install Notes

A brief set of Installation Notes for GS-ST.
http://gridshib.globus.org/docs/gridshib-saml-tools/install.html

GS-ST User Guide

A comprehensive User Guide for GS-ST.
http://gridshib.globus.org/docs/gridshib-saml-tools/user-guide.html

GS-ST Developer Guide

A Developer Guide for GS-ST.
http://gridshib.globus.org/docs/gridshib-saml-tools/dev-guide.html

GS-ST API documentation

This is Java API documentation for GridShib Common.
http://gridshib.globus.org/docs/gridshib-saml-tools/api/

GS-ST Change Log

This text file documents the changes between GS-ST versions.
http://gridshib.globus.org/docs/gridshib-saml-tools/CHANGES.txt

To illustrate how the GridShib SAML Tools are used in conjunction with GridShib for GT and the GridShib CA, a comprehensive Quick Start is provided:

GridShib Quick Start

The Quick Start provides step-by-step instructions for various deployment and configuration options for all GridShib components.
http://gridshib.globus.org/docs/gridshib/quick-start.html

Globus Toolkit (http://www.globus.org/toolkit/) is an open-source toolkit for grid computing. Shibboleth (http://shibboleth.internet2.edu/) is an open-source implementation of the SAML browser profiles. Globus Toolkit^® and Shibboleth^® are registered trademarks of the University of Chicago and Internet2, respectively.