GridShib is an NSF-funded project to allow interoperability between Globus Toolkit® and Shibboleth.® Visit the GridShib web site (http://gridshib.globus.org/) for more information about the GridShib Project.
GridShib distributes four software components:
These software components help bridge the gap between SAML federations based on Shibboleth and Grid federations based on Globus Toolkit. Visit the GridShib Deployment Scenarios page to see how the various GridShib components might be used.
The GridShib SAML Tools bind arbitrary content to a non-critical extension of an X.509 proxy certificate. In particular, the SAML Tools issue or request SAML assertions and optionally bind these assertions to X.509 proxy certificates.
Important features of the GridShib SAML Tools include:
The GridShib SAML Tools consists of the following tools and subcomponents:
The SAML Assertion Extraction Tool is a simple utility that takes an X.509 proxy credential as input and extracts the SAML assertion bound to the last proxy certificate of that credential (if any).
The SAML Security Info Tool inspects an X.509 proxy credential for bound SAML content. It takes a path to a proxy credential on the command line and prints all the SAML security information contained in every proxy certificate of that credential.
The X.509 Binding Tool is a general tool for binding arbitrary content to a non-critical extension of an X.509 proxy certificate. Examples of such content include a SAML assertion, an XACML policy, or any other DER-encoded content provided in ASN.1 format.
The SAML Assertion Issuer Tool self-issues a SAML assertion and optionally binds this assertion to an X.509 proxy certificate. The assertion can include up to two statements (an
AuthenticationStatement and/or an
AttributeStatement). A significant feature of this tool is its ability to leverage a fully configured Shibboleth attribute resolver (to be bundled with a later version of this software).
The SAML Assertion Verify Tool invokes the Issuer Tool to obtain a SAML assertion. It then verifies that the assertion satisfies the command-line arguments and configuration parameters available to the Issuer Tool.
The SAML Query Client queries a SAML Attribute Authority (AA) for attributes. The Client validates the SAML
Response and outputs the attribute assertion. Like the SAML Assertion Issuer Tool, the SAML Query Client optionally binds this assertion to an X.509 proxy certificate. (A fully integrated version of the SAML Query Client will be bundled with a later version of this software.)
GridShib Common is an API for Java developers, packaged as a JAR file and distributed with the SAML Tools. GridShib Common includes the GridShib Security Framework, an API for producing and consuming X.509-bound SAML tokens. Portal developers, for example, can use GridShib Common to introduce SAML into the portal's grid security infrastructure.
The Globus SAML Library is an enhanced version of OpenSAML 1.1. The Library supports the following OASIS Standards:
The Globus SAML Library also conforms to the OASIS Subject-based Profiles for SAML V1.1 Assertions.
The Meaningless CA is an interoperable, untrusted CA with a well-known private key and DN. Certificates issued by the Meaningless CA are useful for testing purposes. They are preferable to self-signed certificates since the latter are known to be incompatible with existing implementations (such as Globus Toolkit) and standards (such as RFC3820). (Note: This meaningless CA implementation conforms to IETF Internet-draft Auto Issued X.509 Certificate Mechanism.)
You can download the GridShib SAML Tools (GS-ST) software distribution from the GridShib Downloads page:
Download the software in GZIP or ZIP format, or browse the online CVS repository.
Please review the licensing terms of the GridShib License before using this software. GridShib is licensed under the Apache License, Version 2.0. Additional licensing information will be found on the GridShib Downloads page.
Available documentation for the GridShib SAML Tools (GS-ST) includes the following:
A brief set of Installation Notes for GS-ST.
A comprehensive User Guide for GS-ST.
A Developer Guide for GS-ST.
Java API documentation for GridShib Common, which includes the GridShib Security Framework.
Java API documentation for the Globus SAML Library API documentation. Note: The Globus SAML Library is based on Internet2's OpenSAML version 1.1.
This text file documents the changes between GS-ST versions.
To illustrate how the GridShib SAML Tools are used in conjunction with GridShib for GT and the GridShib CA, a comprehensive Quick Start is provided:
The Quick Start provides step-by-step instructions for various deployment and configuration options for all GridShib components.
Globus Toolkit (http://www.globus.org/toolkit/) is an open-source toolkit for grid computing. Shibboleth (http://shibboleth.internet2.edu/) is an open-source implementation of the SAML browser profiles. Globus Toolkit® and Shibboleth® are registered trademarks of the University of Chicago and Internet2, respectively.The GridShib Project