This GridShib Quick Start gives detailed instructions for using GridShib for GT v0.6, GridShib SAML Tools v0.3, and GridShib CA v0.5 together on Windows and UNIX systems. The GridShib SAML Tools is a standalone suite of client tools requiring only Java and Ant. GridShib for GT is a plugin for Globus Toolkit (GT). A lightweight alternative to installing the full Globus Toolkit is to install the Java WS Core component of GT and then install GridShib for GT on top of that (see the Getting Started section for details). Finally, we show how to use a public instance of the GridShib CA to bootstrap the X.509 environment on your laptop or desktop.
This Quick Start concentrates on the following deployment scenarios:
In particular, all the examples in the section entitled Configuring GridShib for GT for Attribute Push address the Science Gateway Use Case.
Contents
This Quick Start requires two logical systems: a client system and a server system. The client system presents an X.509 certificate containing an X.509-bound SAML token to a GridShib-protected service running on the server system. Thus a suitable client system should be able to do the following:
At least one of steps 1 or 2 is required to obtain an X.509 certificate containing an X.509-bound SAML token. Using both the GridShib CA and the GridShib SAML Tools demonstrates that SAML information can come from multiple certificates in the presented certificate chain, so a client system that wields a browser is highly desirable.
The client system requires GridShib SAML Tools and GridShib for GT, while the server system requires GridShib for GT only. Since GridShib for GT strictly requires only Java WS Core (as opposed to the full GT software stack), the basic requirements for running a client and a server are fairly lightweight. We provide the following guides to help you install a minimal software stack suitable for this Quick Start:
Some possible deployment scenarios are outlined below:
For the rest of this Quick Start, we assume the client system is a laptop or desktop so that an end-entity credential can be requested from the shib-enabled GridShib CA.
This section shows how to configure GridShib for GT for attribute push. The requester authenticates to the service by presenting an X.509 certificate chain. One or more certificates in the chain may contain a SAML assertion bound to a non-critical X.509 v3 certificate extension. The security information in the SAML assertion(s) may be used for access control. After the requester is authenticated, the request passes through the authorization chain illustrated below.
As the request passess through the authorization chain, the policy information points (denoted by hexagons in the diagram) populate a security context with the security information gleaned from the SAML assertion(s). If any policy decision point (denoted by diamond shapes above) in the authorization chain returns DENY, processing is short-circuited and the request is denied. On the other hand, if the request passes through the entire authorization chain such that no policy decision point returns DENY, the request is permitted.
In what follows, we assume a client system and a server system have been deployed as outlined in the Getting Started section. For convenience, we also assume that both the client and the server are installed on the same system. If this is not the case, be sure to replace localhost in the commands below with the correct IP address or DNS address of the server system.
This tutorial refers to various configuration files included with GridShib for GT and GridShib SAML Tools:
UNIX:
$ export CONFIG_DIR=$GLOBUS_LOCATION/etc/gridshib-gt-echo-0_6_0
$ ls -l $CONFIG_DIR/echo-service-security-descriptor.xml \
$CONFIG_DIR/server-config.wsdd \
$CONFIG_DIR/blacklist_ip_addresses.txt \
$CONFIG_DIR/blacklist_name_ids.txt \
$CONFIG_DIR/echo-attr-authz-vo.xml \
$CONFIG_DIR/echo-attr-authz-vo-roles.xml \
$CONFIG_DIR/echo-attr-authz-c.xml \
$CONFIG_DIR/idp-metadata/trusted_authorities_entity_map.txt
Windows:
> set CONFIG_DIR=%GLOBUS_LOCATION%\etc\gridshib-gt-echo-0_6_0
> dir %CONFIG_DIR%\echo-service-security-descriptor.xml
%CONFIG_DIR%\server-config.wsdd
%CONFIG_DIR%\blacklist_ip_addresses.txt
%CONFIG_DIR%\blacklist_name_ids.txt
%CONFIG_DIR%\echo-attr-authz-vo.xml
%CONFIG_DIR%\echo-attr-authz-vo-roles.xml
%CONFIG_DIR%\echo-attr-authz-c.xml
%CONFIG_DIR%\idp-metadata\trusted_authorities_entity_map.txt
In what follows, we will use short (system independent) filenames when referring to the above configuration files.
Before we get started, create a GridShib SAML Tools configuration properties file:
UNIX: $ su - globus $ echo $HOME /home/globus $ echo /tmp/x509up_u$UID /tmp/x509up_u504 $ cat $GRIDSHIB_HOME/etc/my-saml-issuer.properties # BEGIN my-saml-issuer.properties # SAML NameIdentifier NameID.Format=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified NameID.Format.template=%PRINCIPAL% # FriendlyName="isMemberOf" Attribute.isMemberOf.Namespace=urn:mace:shibboleth:1.0:attributeNamespace:uri Attribute.isMemberOf.Name=urn:oid:1.3.6.1.4.1.5923.1.5.1.1 Attribute.isMemberOf.Value=group://nanohub.org/nanohub group://gisolve.org/gisolve # FriendlyName="countryName" Attribute.countryName.Namespace=urn:mace:shibboleth:1.0:attributeNamespace:uri Attribute.countryName.Name=urn:oid:2.5.4.6 Attribute.countryName.Value=US # X.509 Issuing Credential certLocation=file:///tmp/x509up_u504 keyLocation=file:///tmp/x509up_u504 # END my-saml-issuer.properties
Windows: > echo %USERPROFILE% C:\Documents and Settings\globus > echo %TEMP%\x509up_u_%USERNAME% C:\DOCUME~1\GLOBUS\LOCALS~1\Temp\x509up_u_globus > type %GRIDSHIB_HOME%\etc\my-saml-issuer.properties # BEGIN my-saml-issuer.properties # SAML NameIdentifier NameID.Format=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified NameID.Format.template=%PRINCIPAL% # FriendlyName="isMemberOf" Attribute.isMemberOf.Namespace=urn:mace:shibboleth:1.0:attributeNamespace:uri Attribute.isMemberOf.Name=urn:oid:1.3.6.1.4.1.5923.1.5.1.1 Attribute.isMemberOf.Value=group://nanohub.org/nanohub group://gisolve.org/gisolve # FriendlyName="countryName" Attribute.countryName.Namespace=urn:mace:shibboleth:1.0:attributeNamespace:uri Attribute.countryName.Name=urn:oid:2.5.4.6 Attribute.countryName.Value=US # X.509 Issuing Credential certLocation=file:///C:/Documents%20and%20Settings/globus/Local%20Settings/Temp/x509up_u_globus keyLocation=file:///C:/Documents%20and%20Settings/globus/Local%20Settings/Temp/x509up_u_globus # END my-saml-issuer.properties
In both cases, note that the isMemberOf attribute is multi-valued and that the two attribute values are separated by a tab character.
Out of the box, the GridShib SecurityContextEchoService on the server system is configured for attribute push. All requests for SecurityContextEchoService are intercepted by the SAMLAssertionPushPIP (PushPIP), which extracts and parses any SAML tokens bound to the presented X.509 certificate chain. The resulting security context is logged but no policy is applied. Indeed, a policy information point (PIP) does not return an access control decision, so the GT 4.0 authorization framework permits access by default.
Issue a level 1 proxy credential on the client system and request the SecurityContextEchoService on the server system:
SecurityContextEchoService on the server system.
SecurityContextEchoService is configured for attribute push.echo-service-security-descriptor.xml, an interceptor called SAMLAssertionPushPIP is configured:
<authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP"/>This interceptor consumes any X.509-bound SAML assertions in the presented certificate chain.
SecurityContextEchoService, authenticating with a level 1 proxy credential issued on the client system.
SecurityContextEchoService will be intercepted by the SAMLAssertionPushPIP, the assertions will be extracted and parsed, and the results will be echoed back to the requester.SAMLAssertionPushPIP initializes in the container logs. UNIX:
$ $GRIDSHIB_HOME/bin/gridshib-saml-issuer \
--user trscavo --sender-vouches \
--config $GRIDSHIB_HOME/etc/my-saml-issuer.properties \
--authn --x509 --outfile /tmp/testcredential.pem \
--authnMethod urn:oasis:names:tc:SAML:1.0:am:password \
--authnInstant 2008-01-24T16:29:18-0600
$ $GRIDSHIB_HOME/bin/gridshib-saml-info \
--infile /tmp/testcredential.pem
$ export X509_USER_PROXY=/tmp/testcredential.pem
$ $GLOBUS_LOCATION/bin/gridshibecho -d -z none \
-s https://localhost:8443/wsrf/services/SecurityContextEchoService
Windows:
> %GRIDSHIB_HOME%\bin\gridshib-saml-issuer
--user trscavo --sender-vouches
--config %GRIDSHIB_HOME%\etc\my-saml-issuer.properties
--authn --x509 --outfile %TEMP%\testcredential.pem
--authnMethod urn:oasis:names:tc:SAML:1.0:am:password
--authnInstant 2008-01-24T16:29:18-0600
> %GRIDSHIB_HOME%\bin\gridshib-saml-info
--infile %TEMP%\testcredential.pem
> set X509_USER_PROXY=%TEMP%\testcredential.pem
> %GLOBUS_LOCATION%\bin\gridshibecho -d -z none
-s https://localhost:8443/wsrf/services/SecurityContextEchoService
---------
Response:
---------
Principal {
name='/DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth User
/OU=https://idp.protectnetwork.org/protectnetwork-idp
/CN=trscavo@idp.protectnetwork.org'
type='Globus'
}
(untrusted) SAMLIdentity {
issuer='CN=trscavo@idp.protectnetwork.org,
OU=https://idp.protectnetwork.org/protectnetwork-idp,
O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu'
nameID='<NameIdentifier
xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
trscavo
</NameIdentifier>'
}
(untrusted) SAMLIdentity {
issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
nameID='<NameIdentifier
xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
CN=trscavo@idp.protectnetwork.org,
OU=https://idp.protectnetwork.org/protectnetwork-idp,
O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu
</NameIdentifier>'
}
(untrusted) SAMLAuthnContext {
issuer='CN=trscavo@idp.protectnetwork.org,
OU=https://idp.protectnetwork.org/protectnetwork-idp,
O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu'
authnMethod='urn:oasis:names:tc:SAML:1.0:am:password'
authnInstant='2008-01-24T22:29:18Z'
ipAddress='null'
dnsName='null'
}
(untrusted) BasicAttribute {
issuer='CN=trscavo@idp.protectnetwork.org,
OU=https://idp.protectnetwork.org/protectnetwork-idp,
O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu'
name='urn:oid:2.5.4.6'
nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
value #1='US'
}
(untrusted) BasicAttribute {
issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
name='http://gridshib.globus.org/testAttribute'
nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
value #1='testValueTwo'
value #2='testValue'
}
(untrusted) BasicAttribute {
issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
name='http://gridshib.globus.org/testAttributeTwo'
nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
value #1='testValue'
}
(untrusted) BasicAttribute {
issuer='CN=trscavo@idp.protectnetwork.org,
OU=https://idp.protectnetwork.org/protectnetwork-idp,
O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu'
name='urn:oid:1.3.6.1.4.1.5923.1.5.1.1'
nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
value #1='group://gisolve.org/gisolve'
value #2='group://nanohub.org/nanohub'
}
You should receive a total of eight (8) items in the response: one (1) Principal item (representing the authenticated user), two (2) SAMLIdentity items (one of which is from the GridShib CA-issued EEC), one (1) SAMLAuthnContext item, and four (4) BasicAttribute items. Note carefully the issuer of each item. Also note that each item is labeled (untrusted) since none of the security information has been subjected to policy.The SAMLAssertionPushPIP logs the security information in the pushed X.509-bound SAML tokens, but since no policy is applied, we say the information is untrusted. Without rendering an access control decision, the AttributeAcceptancePIP (AAPIP) applies attribute acceptance policy to the security information in the security context. As a result, the untrusted information is filtered from the security context.
Reconfigure both systems, issue a level 1 proxy credential on the client system, and request the SecurityContextEchoService on the server system:
SecurityContextEchoService on the server system.
SecurityContextEchoService is configured to accept all attributes (i.e., no policy is applied). We now expand the authorization chain to include attribute acceptance policy. This policy check is enabled by adding another PIP to the authorization chain.echo-service-security-descriptor.xml, comment out this line
<authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP"/>and uncomment this line
<authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP
secctxecho:org.globus.gridshib.AttributeAcceptancePIP"/>
This enables AttributeAcceptancePIP in the authorization chain.SecurityContextEchoService, authenticating with a level 1 proxy credential issued on the client system.
AttributeAcceptancePIP introduced in the previous step determines which of the "untrusted" items are in fact trusted (by consulting a list of trusted SAML authorities). Any "untrusted" items remaining are removed from the security context.AttributeAcceptancePIP initializes in the container logs. UNIX:
$ $GRIDSHIB_HOME/bin/gridshib-saml-issuer \
--user trscavo --sender-vouches \
--config $GRIDSHIB_HOME/etc/my-saml-issuer.properties \
--authn --x509 --outfile /tmp/testcredential.pem \
--authnMethod urn:oasis:names:tc:SAML:1.0:am:password \
--authnInstant 2008-01-24T16:29:18-0600
$ $GRIDSHIB_HOME/bin/gridshib-saml-info \
--infile /tmp/testcredential.pem
$ echo $X509_USER_PROXY
$ $GLOBUS_LOCATION/bin/gridshibecho -d -z none \
-s https://localhost:8443/wsrf/services/SecurityContextEchoService
Windows:
> %GRIDSHIB_HOME%\bin\gridshib-saml-issuer
--user trscavo --sender-vouches
--config %GRIDSHIB_HOME%\etc\my-saml-issuer.properties
--authn --x509 --outfile %TEMP%\testcredential.pem
--authnMethod urn:oasis:names:tc:SAML:1.0:am:password
--authnInstant 2008-01-24T16:29:18-0600
> %GRIDSHIB_HOME%\bin\gridshib-saml-info
--infile %TEMP%\testcredential.pem
> echo %X509_USER_PROXY%
> %GLOBUS_LOCATION%\bin\gridshibecho -d -z none
-s https://localhost:8443/wsrf/services/SecurityContextEchoService
---------
Response:
---------
Principal {
name='/DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth User
/OU=https://idp.protectnetwork.org/protectnetwork-idp
/CN=trscavo@idp.protectnetwork.org'
type='Globus'
}
SAMLIdentity {
issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
nameID='<NameIdentifier
xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
CN=trscavo@idp.protectnetwork.org,
OU=https://idp.protectnetwork.org/protectnetwork-idp,
O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu
</NameIdentifier>'
}
Principal {
name='CN=trscavo@idp.protectnetwork.org,
OU=https://idp.protectnetwork.org/protectnetwork-idp,
O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu'
type='SAML'
}
BasicAttribute {
issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
name='http://gridshib.globus.org/testAttribute'
nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
value #1='testValueTwo'
value #2='testValue'
}
BasicAttribute {
issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
name='http://gridshib.globus.org/testAttributeTwo'
nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
value #1='testValue'
}
This time, since the GridShib CA is the only trusted SAML authority on the list (by default), only five (5) items appear in the response: two (2) Principal items, one (1) SAMLIdentity item, and two (2) BasicAttribute items. Note that one Principal item represents the authenticated user (as mentioned in the previous section) while the other four items are a result of the trusted GridShib CA-issued EEC. The remaining items were removed from the security context by the AttributeAcceptancePIP since they are untrusted.entityID of the SAML issuer.my-saml-issuer.properties:
# Identity Provider entityID IdP.entityID=https://gridshib.example.org/idpThe URI on the righthand side is the
entityID of the SAML issuer.UNIX: $ $GLOBUS_LOCATION/bin/rfc2253dn
Windows: > %GLOBUS_LOCATION%\bin\rfc2253dn
X.509 Subject DN (Globus): /DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth User /OU=https://idp.protectnetwork.org/protectnetwork-idp /CN=trscavo@idp.protectnetwork.org X.509 Subject DN (RFC 2253): CN=trscavo@idp.protectnetwork.org, OU=https://idp.protectnetwork.org/protectnetwork-idp, O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu X.509 Subject DN (Canonical RFC 2253): cn=#141e7472736361766f406964702e70726f746563746e6574776f726b2e6f7267, ou=https://idp.protectnetwork.org/protectnetwork-idp, o=shibboleth user,dc=#1608636f6d7075746572,dc=#16046e637361, dc=#160475697563,dc=#1603656475The RFC 2253 form of the Subject DN is required in the following step.
AttributeAcceptancePIP on the server system.
entityID maps to an X.509 Issuer DN. By default, the GridShib CA is a trusted SAML authority. We now add the proxy issuer to the list of trusted SAML authorities.trusted_authorities_entity_map.txt:
https://gridshib.example.org/idp "Subject DN of your EEC"Be sure to use the RFC 2253 form of your Subject DN from the previous step.
SecurityContextEchoService again.
trusted_authorities_entity_map.txt at the previous step, the service now trusts all the security information in the proxy certificate. UNIX:
$ $GRIDSHIB_HOME/bin/gridshib-saml-issuer \
--user trscavo --sender-vouches \
--config $GRIDSHIB_HOME/etc/my-saml-issuer.properties \
--authn --x509 --outfile /tmp/testcredential.pem \
--authnMethod urn:oasis:names:tc:SAML:1.0:am:password \
--authnInstant 2008-01-24T16:29:18-0600
$ $GRIDSHIB_HOME/bin/gridshib-saml-info \
--infile /tmp/testcredential.pem
$ $GLOBUS_LOCATION/bin/gridshibecho -d -z none \
-s https://localhost:8443/wsrf/services/SecurityContextEchoService
Windows:
> %GRIDSHIB_HOME%\bin\gridshib-saml-issuer
--user trscavo --sender-vouches
--config %GRIDSHIB_HOME%\etc\my-saml-issuer.properties
--authn --x509 --outfile %TEMP%\testcredential.pem
--authnMethod urn:oasis:names:tc:SAML:1.0:am:password
--authnInstant 2008-01-24T16:29:18-0600
> %GRIDSHIB_HOME%\bin\gridshib-saml-info
--infile %TEMP%\testcredential.pem
> %GLOBUS_LOCATION%\bin\gridshibecho -d -z none
-s https://localhost:8443/wsrf/services/SecurityContextEchoService
You should receive a total of ten (10) items in the response. Eight (8) of these items are exactly the same as before. Two (2) new Principal items have appeared, corresponding to the trusted SAMLIdentity items. Note that none of the security items are labeled (untrusted) since, by virtue of the AttributeAcceptancePIP, all security items have been associated with a trusted SAML issuer.We now introduce our first policy decision point (PDP). The SAMLBlacklistPDP returns false (DENY) if (and only if) any of the security information in the security context is on one or more blacklists. GridShib for GT supports two kinds of blacklists: a blacklist of IP addresses and a blacklist of principal name identifiers. If the client IP address of the authenticated user is on the blacklist of IP addresses, the request is denied. Similarly, if the name identifier associated with the authenticated user is on the blacklist of principal name identifiers, the request is denied.
Reconfigure the server system, issue a level 1 proxy credential containing an IP address on the client system, and request the SecurityContextEchoService on the server system:
SecurityContextEchoService on the server system.
echo-service-security-descriptor.xml, comment out this line
<authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP
secctxecho:org.globus.gridshib.AttributeAcceptancePIP"/>
and uncomment this line
<authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP
secctxecho:org.globus.gridshib.AttributeAcceptancePIP
secctxecho:org.globus.gridshib.SAMLBlacklistPDP"/>
This enables SAMLBlacklistPDP in the authorization chain.server-config.wsdd, observe the following configuration parameter:
<parameter name="secctxecho-blacklistIPAddressesFile"
value="GLOBUS_LOCATION/etc/gridshib-gt-echo-0_6_0/blacklist_ip_addresses.txt"/>
This enables IP address blacklisting in the SecurityContextEchoService.SecurityContextEchoService, authenticating with a level 1 proxy credential issued on the client system.
blacklist_ip_addresses.txt), the request is denied.SAMLBlacklistPDP initializes in the container logs. UNIX:
$ $GRIDSHIB_HOME/bin/gridshib-saml-issuer \
--user trscavo --sender-vouches \
--config $GRIDSHIB_HOME/etc/my-saml-issuer.properties \
--authn --x509 --outfile /tmp/testcredential.pem \
--authnMethod urn:oasis:names:tc:SAML:1.0:am:password \
--authnInstant 2008-01-24T16:29:18-0600 \
--address 111.111.111.111
$ $GRIDSHIB_HOME/bin/gridshib-saml-info \
--infile /tmp/testcredential.pem
$ echo $X509_USER_PROXY
$ $GLOBUS_LOCATION/bin/gridshibecho -d -z none \
-s https://localhost:8443/wsrf/services/SecurityContextEchoService
Windows:
> %GRIDSHIB_HOME%\bin\gridshib-saml-issuer
--user trscavo --sender-vouches
--config %GRIDSHIB_HOME%\etc\my-saml-issuer.properties
--authn --x509 --outfile %TEMP%\testcredential.pem
--authnMethod urn:oasis:names:tc:SAML:1.0:am:password
--authnInstant 2008-01-24T16:29:18-0600
--address 111.111.111.111
> %GRIDSHIB_HOME%\bin\gridshib-saml-info
--infile %TEMP%\testcredential.pem
> echo %X509_USER_PROXY%
> %GLOBUS_LOCATION%\bin\gridshibecho -d -z none
-s https://localhost:8443/wsrf/services/SecurityContextEchoService
Error: org.globus.wsrf.impl.security.authorization.exceptions.AuthorizationException:
"/DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth User/OU=entityID/CN=ePPN"
is not authorized to use operation:
{http://wsrf.globus.org/2005/04/secctxecho}echo on this service
Since the IP address is on the blacklist, the request is denied.SecurityContextEchoService again.
UNIX:
$ $GRIDSHIB_HOME/bin/gridshib-saml-issuer \
--user trscavo --sender-vouches \
--config $GRIDSHIB_HOME/etc/my-saml-issuer.properties \
--authn --x509 --outfile /tmp/testcredential.pem \
--authnMethod urn:oasis:names:tc:SAML:1.0:am:password \
--authnInstant 2008-01-24T16:29:18-0600 \
--address 255.255.255.255
$ $GRIDSHIB_HOME/bin/gridshib-saml-info \
--infile /tmp/testcredential.pem
$ echo $X509_USER_PROXY
$ $GLOBUS_LOCATION/bin/gridshibecho -d -z none \
-s https://localhost:8443/wsrf/services/SecurityContextEchoService
Windows:
> %GRIDSHIB_HOME%\bin\gridshib-saml-issuer
--user trscavo --sender-vouches
--config %GRIDSHIB_HOME%\etc\my-saml-issuer.properties
--authn --x509 --outfile %TEMP%\testcredential.pem
--authnMethod urn:oasis:names:tc:SAML:1.0:am:password
--authnInstant 2008-01-24T16:29:18-0600
--address 255.255.255.255
> %GRIDSHIB_HOME%\bin\gridshib-saml-info
--infile %TEMP%\testcredential.pem
> echo %X509_USER_PROXY%
> %GLOBUS_LOCATION%\bin\gridshibecho -d -z none
-s https://localhost:8443/wsrf/services/SecurityContextEchoService
As before, you should receive a total of ten (10) items in the response: two (2) SAMLIdentity items, one (1) SAMLAuthnContext item, four (4) BasicAttribute items, and three (3) Principal items. Note that the SAMLAuthnContext item contains the IP address 255.255.255.255 previously embedded in the proxy.SecurityContextEchoService again.
server-config.wsdd, observe the following configuration parameter:
<parameter name="secctxecho-blacklistNameIdentifiersFile"
value="GLOBUS_LOCATION/etc/gridshib-gt-echo-0_6_0/blacklist_name_ids.txt"/>
This enables name identifier blacklisting in the SecurityContextEchoService.blacklist_name_ids.txt, uncomment the following name identifier:
trscavoThis name identifier is in fact one of two name identifiers asserted in the two X.509-bound SAML assertions in the certificate chain.
UNIX:
$ echo $X509_USER_PROXY
$ $GLOBUS_LOCATION/bin/gridshibecho -d -z none \
-s https://localhost:8443/wsrf/services/SecurityContextEchoService
Windows:
> echo %X509_USER_PROXY%
> %GLOBUS_LOCATION%\bin\gridshibecho -d -z none
-s https://localhost:8443/wsrf/services/SecurityContextEchoService
Error: org.globus.wsrf.impl.security.authorization.exceptions.AuthorizationException:
"/DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth User/OU=entityID/CN=ePPN"
is not authorized to use operation:
{http://wsrf.globus.org/2005/04/secctxecho}echo on this service
Since the name identifier is on the blacklist, the request is denied.SecurityContextEchoService again.
blacklist_name_ids.txt, comment out this line
#trscavoand uncomment this line
CN=ePPN,OU=entityID,O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=eduwhere
ePPN and entityID are particular identifiers associated with the user and the identity provider, respectively. In my case, ePPN is trscavo@idp.protectnetwork.org and entityID is https://idp.protectnetwork.org/protectnetwork-idp. Your mileage may vary of course.Some grid resources (e.g., GRAM) require a local username. Given a username, the job executes in the environment of the corresponding user on the server system. Traditionally, the local username is obtained from the gridmap file, a mapping from X.509 Subject DNs to local usernames.
GridShib augments (or even replaces) the gridmap file. Instead of mapping DNs to usernames, GridShib maps user attributes to usernames. The mapping is contained in an attributed-based username mapping policy file (attributeMappingPolicyFile). The SAMLMapPIP combines the attributes in the security context with the mapping policy in the file and adds the resulting usernames to the security context.
Reconfigure the server system, issue a level 1 proxy credential on the client system, and request the SecurityContextEchoService on the server system:
SecurityContextEchoService on the server system.
server-config.wsdd) on the server system.echo-service-security-descriptor.xml, comment out this line
<authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP
secctxecho:org.globus.gridshib.AttributeAcceptancePIP
secctxecho:org.globus.gridshib.SAMLBlacklistPDP"/>
and uncomment this line
<authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP
secctxecho:org.globus.gridshib.AttributeAcceptancePIP
secctxecho:org.globus.gridshib.SAMLBlacklistPDP
secctxecho:org.globus.gridshib.SAMLMapPIP"/>
This enables SAMLMapPIP in the authorization chain.
server-config.wsdd, observe the following configuration parameter:
<parameter name="secctxecho-attributeMappingPolicyFile"
value="GLOBUS_LOCATION/etc/gridshib-gt-echo-0_6_0/echo-attr-authz-vo.xml"/>
This associates a policy file for attribute-based mapping in the SecurityContextEchoService.SecurityContextEchoService again.
echo-attr-authz-vo.xml on the server system contains the relevant mappings.)SAMLMapPIP initializes in the container logs. UNIX:
$ echo $X509_USER_PROXY
$ $GLOBUS_LOCATION/bin/gridshibecho -d -z none \
-s https://localhost:8443/wsrf/services/SecurityContextEchoService
Windows:
> echo %X509_USER_PROXY%
> %GLOBUS_LOCATION%\bin\gridshibecho -d -z none
-s https://localhost:8443/wsrf/services/SecurityContextEchoService
---------
Response:
---------
Principal {
name='/DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth User
/OU=https://idp.protectnetwork.org/protectnetwork-idp
/CN=trscavo@idp.protectnetwork.org'
type='Globus'
}
Principal {
name='trscavo'
type='SAML'
}
Principal {
name='CN=trscavo@idp.protectnetwork.org,
OU=https://idp.protectnetwork.org/protectnetwork-idp,
O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu'
type='SAML'
}
SAMLIdentity {
issuer='CN=trscavo@idp.protectnetwork.org,
OU=https://idp.protectnetwork.org/protectnetwork-idp,
O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu'
nameID='<NameIdentifier
xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
trscavo
</NameIdentifier>'
}
SAMLIdentity {
issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
nameID='<NameIdentifier
xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
CN=trscavo@idp.protectnetwork.org,
OU=https://idp.protectnetwork.org/protectnetwork-idp,
O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu
</NameIdentifier>'
}
SAMLAuthnContext {
issuer='CN=trscavo@idp.protectnetwork.org,
OU=https://idp.protectnetwork.org/protectnetwork-idp,
O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu'
authnMethod='urn:oasis:names:tc:SAML:1.0:am:password'
authnInstant='2008-01-24T22:29:18Z'
ipAddress='255.255.255.255'
dnsName='null'
}
BasicAttribute {
issuer='CN=trscavo@idp.protectnetwork.org,
OU=https://idp.protectnetwork.org/protectnetwork-idp,
O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu'
name='urn:oid:2.5.4.6'
nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
value #1='US'
}
BasicAttribute {
issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
name='http://gridshib.globus.org/testAttribute'
nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
value #1='testValueTwo'
value #2='testValue'
}
BasicAttribute {
issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
name='http://gridshib.globus.org/testAttributeTwo'
nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
value #1='testValue'
}
BasicAttribute {
issuer='CN=trscavo@idp.protectnetwork.org,
OU=https://idp.protectnetwork.org/protectnetwork-idp,
O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu'
name='urn:oid:1.3.6.1.4.1.5923.1.5.1.1'
nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
value #1='group://gisolve.org/gisolve'
value #2='group://nanohub.org/nanohub'
}
Principal {
name='nanohub'
type='UserName'
}
Principal {
name='gisolve'
type='UserName'
}
You should receive a total of twelve (12) items in the response: two (2) SAMLIdentity items, one (1) SAMLAuthnContext item, four (4) BasicAttribute items, and five () Principal items. The two new Principal items are usernames mapped to attributes in the policy file (echo-attr-authz-vo.xml).We add a second PDP to the authorization chain, which completes the configuration of attribute-based authorization based on attribute push. The SAMLAttributePDP returns true (PERMIT) if (and only if) attribute-based authorization policy (in parameter attributeAuthzPolicyFile) is satisfied.
Reconfigure both systems, issue a level 1 proxy credential on the client system, and request the SecurityContextEchoService on the server system:
SecurityContextEchoService on the server system.
<authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP
secctxecho:org.globus.gridshib.AttributeAcceptancePIP
secctxecho:org.globus.gridshib.SAMLBlacklistPDP
secctxecho:org.globus.gridshib.SAMLMapPIP"/>
and uncomment this line
<authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP
secctxecho:org.globus.gridshib.AttributeAcceptancePIP
secctxecho:org.globus.gridshib.SAMLBlacklistPDP
secctxecho:org.globus.gridshib.SAMLMapPIP
secctxecho:org.globus.gridshib.SAMLAttributePDP"/>
This enables SAMLAttributePDP in the authorization chain.
server-config.wsdd, comment out the following configuration parameter
<!--<parameter name="secctxecho-attributeMappingPolicyFile"
value="GLOBUS_LOCATION/etc/gridshib-gt-echo-0_6_0/echo-attr-authz-vo.xml"/>-->
and observe the following (related) configuration parameter:
<parameter name="secctxecho-attributeAuthzPolicyFile"
value="GLOBUS_LOCATION/etc/gridshib-gt-echo-0_6_0/echo-attr-authz-vo.xml"/>
Commenting out the attributeMappingPolicyFile parameter causes the SAMLMapPIP to fall back on the attributeAuthzPolicyFile parameter. This associates a single policy file with both attribute-based mapping (SAMLMapPIP) and attribute-based authorization (SAMLAttributePDP) in the SecurityContextEchoService.my-other-saml-issuer.properties) in directory $GRIDSHIB_HOME/etc (or %GRIDSHIB_HOME%\etc on Windows):
# BEGIN my-other-saml-issuer.properties # Identity Provider entityID IdP.entityID=https://gridshib.example.org/idp # SAML NameIdentifier (formatted as eduPersonPrincipalName) NameID.Format=urn:oid:1.3.6.1.4.1.5923.1.1.1.6 NameID.Format.template=%PRINCIPAL%@example.org # FriendlyName="eduPersonEntitlement" Attribute.ROLE.Namespace=urn:mace:shibboleth:1.0:attributeNamespace:uri Attribute.ROLE.Name=urn:oid:1.3.6.1.4.1.5923.1.1.1.7 Attribute.ROLE.Value=http://www.teragrid.org/names/roles/admin # END my-other-saml-issuer.properties
SecurityContextEchoService, authenticating with a level 1 proxy credential issued on the client system.
echo-attr-authz-vo.xml on the server system. As a result, the request will fail.SAMLAttributePDP initializes in the container logs. UNIX:
$ cp /tmp/x509up_u$UID /tmp/mycredential.pem
$ $GRIDSHIB_HOME/bin/gridshib-saml-issuer \
--user trscavo --sender-vouches \
--config $GRIDSHIB_HOME/etc/my-other-saml-issuer.properties \
--authn --x509 --outfile /tmp/testcredential.pem \
--authnMethod urn:oasis:names:tc:SAML:1.0:am:password \
--authnInstant 2008-01-24T16:29:18-0600 \
--properties \
certLocation=file:///tmp/mycredential.pem \
keyLocation=file:///tmp/mycredential.pem
$ $GRIDSHIB_HOME/bin/gridshib-saml-info \
--infile /tmp/testcredential.pem
$ echo $X509_USER_PROXY
$ $GLOBUS_LOCATION/bin/gridshibecho -d -z none \
-s https://localhost:8443/wsrf/services/SecurityContextEchoService
Windows:
> copy "%TEMP%\x509up_u_%USERNAME%" C:\Temp\mycredential.pem
> %GRIDSHIB_HOME%\bin\gridshib-saml-issuer
--user trscavo --sender-vouches
--config %GRIDSHIB_HOME%\etc\my-other-saml-issuer.properties
--authn --x509 --outfile %TEMP%\testcredential.pem
--authnMethod urn:oasis:names:tc:SAML:1.0:am:password
--authnInstant 2008-01-24T16:29:18-0600
--properties
certLocation=file:///C:/Temp/mycredential.pem
keyLocation=file:///C:/Temp/mycredential.pem
> %GRIDSHIB_HOME%\bin\gridshib-saml-info
--infile %TEMP%\testcredential.pem
> echo %X509_USER_PROXY%
> %GLOBUS_LOCATION%\bin\gridshibecho -d -z none
-s https://localhost:8443/wsrf/services/SecurityContextEchoService
Error: org.globus.wsrf.impl.security.authorization.exceptions.AuthorizationException:
"/DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth User/OU=entityID/CN=ePPN"
is not authorized to use operation:
{http://wsrf.globus.org/2005/04/secctxecho}echo on this service
Since the supplied attribute does not satisfy policy (echo-attr-authz-vo.xml), the request is denied.SecurityContextEchoService again.
echo-service-security-descriptor.xml, modify the authorization chain slightly as follows:
<authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP
secctxecho:org.globus.gridshib.AttributeAcceptancePIP
secctxecho:org.globus.gridshib.SAMLBlacklistPDP
secctxecho2:org.globus.gridshib.SAMLMapPIP
secctxecho2:org.globus.gridshib.SAMLAttributePDP"/>
This reconfigures SAMLAttributePDP to depend on a different policy file:
<parameter name="secctxecho2-attributeAuthzPolicyFile"
value="GLOBUS_LOCATION/etc/gridshib-gt-echo-0_6_0/echo-attr-authz-vo-roles.xml"/>
If you inspect the above policy file (echo-attr-authz-vo-roles.xml), you'll see that the attribute previously bound to the proxy certificate does in fact satisfy policy.
UNIX:
$ echo $X509_USER_PROXY
$ $GLOBUS_LOCATION/bin/gridshibecho -d -z none \
-s https://localhost:8443/wsrf/services/SecurityContextEchoService
Windows:
> echo %X509_USER_PROXY%
> %GLOBUS_LOCATION%\bin\gridshibecho -d -z none
-s https://localhost:8443/wsrf/services/SecurityContextEchoService
---------
Response:
---------
Principal {
name='/DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth User/
OU=https://idp.protectnetwork.org/protectnetwork-idp/
CN=trscavo@idp.protectnetwork.org'
type='Globus'
}
SAMLIdentity {
issuer='https://gridshib.example.org/idp'
nameID='<NameIdentifier
xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
Format="urn:oid:1.3.6.1.4.1.5923.1.1.1.6">
trscavo@example.org
</NameIdentifier>'
}
SAMLIdentity {
issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
nameID='<NameIdentifier
xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
CN=trscavo@idp.protectnetwork.org,
OU=https://idp.protectnetwork.org/protectnetwork-idp,
O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu
</NameIdentifier>'
}
Principal {
name='trscavo@example.org'
type='SAML'
}
Principal {
name='CN=trscavo@idp.protectnetwork.org,
OU=https://idp.protectnetwork.org/protectnetwork-idp,
O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu'
type='SAML'
}
SAMLAuthnContext {
issuer='https://gridshib.example.org/idp'
authnMethod='urn:oasis:names:tc:SAML:1.0:am:password'
authnInstant='2008-01-24T22:29:18Z'
ipAddress='null'
dnsName='null'
}
BasicAttribute {
issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
name='http://gridshib.globus.org/testAttribute'
nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
value #1='testValueTwo'
value #2='testValue'
}
BasicAttribute {
issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
name='http://gridshib.globus.org/testAttributeTwo'
nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
value #1='testValue'
}
BasicAttribute {
issuer='https://gridshib.example.org/idp'
name='urn:oid:1.3.6.1.4.1.5923.1.1.1.7'
nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
value #1='http://www.teragrid.org/names/roles/admin'
}
Principal {
name='tg-admin'
type='UserName'
}
This time policy is satisfied (echo-attr-authz-vo-roles.xml).To provide a more elegant and flexible configuration, GridShib for GT exposes a combined interceptor called GridShibPDP that includes all the functionality discussed thus far (and more).
Reconfigure the server system, issue a level 1 proxy credential on the client system, and request the SecurityContextEchoService on the server system:
SecurityContextEchoService on the server system.
GridShibPDP is functionally equivalent to the authorization chain configured in the previous section. (Actually, GridShibPDP does much, much more.)<authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP
secctxecho:org.globus.gridshib.AttributeAcceptancePIP
secctxecho:org.globus.gridshib.SAMLBlacklistPDP
secctxecho:org.globus.gridshib.SAMLMapPIP
secctxecho:org.globus.gridshib.SAMLAttributePDP"/>
and uncomment this line
<authz value="secctxecho:org.globus.gridshib.GridShibPDP"/>This enables the combined interceptor
GridShibPDP.SecurityContextEchoService, authenticating with a level 1 proxy credential via Secure Message.
UNIX: $ $GLOBUS_LOCATION/bin/globus-start-container -nosec
Windows: > %GLOBUS_LOCATION%\bin\globus-start-container -nosecThis disables transport-level security in the container.
UNIX:
$ $GRIDSHIB_HOME/bin/gridshib-saml-issuer \
--user trscavo --sender-vouches \
--config $GRIDSHIB_HOME/etc/my-saml-issuer.properties \
--authn --x509 --outfile /tmp/testcredential.pem \
--authnMethod urn:oasis:names:tc:SAML:1.0:am:password \
--authnInstant 2008-01-24T16:29:18-0600 \
--address 255.255.255.255
$ $GRIDSHIB_HOME/bin/gridshib-saml-info \
--infile /tmp/testcredential.pem
$ echo $X509_USER_PROXY
$ $GLOBUS_LOCATION/bin/gridshibecho -d -z none \
-s http://localhost:8080/wsrf/services/SecurityContextEchoService
$ $GLOBUS_LOCATION/bin/gridshibecho -d -z none -m msg \
-s http://localhost:8080/wsrf/services/SecurityContextEchoService
Windows:
> %GRIDSHIB_HOME%\bin\gridshib-saml-issuer
--user trscavo --sender-vouches
--config %GRIDSHIB_HOME%\etc\my-saml-issuer.properties
--authn --x509 --outfile %TEMP%\testcredential.pem
--authnMethod urn:oasis:names:tc:SAML:1.0:am:password
--authnInstant 2008-01-24T16:29:18-0600
--address 255.255.255.255
> %GRIDSHIB_HOME%\bin\gridshib-saml-info
--infile %TEMP%\testcredential.pem
> echo %X509_USER_PROXY%
> %GLOBUS_LOCATION%\bin\gridshibecho -d -z none
-s http://localhost:8080/wsrf/services/SecurityContextEchoService
> %GLOBUS_LOCATION%\bin\gridshibecho -d -z none -m msg
-s http://localhost:8080/wsrf/services/SecurityContextEchoService
The first request will fail because it requires transport-level security, which has been disabled in the container. The second request will succeed, however, despite the fact that transport-level security has been disabled, since it uses message-level security as indicated by the -m msg command-line option. In that case, the X.509 certificate chain containing the SAML assertions is passed in the header of the SOAP request. UNIX:
$ $GLOBUS_LOCATION/bin/globus-stop-container \
-s http://localhost:8080/wsrf/services/ShutdownService -m msg
Windows:
> %GLOBUS_LOCATION%\bin\globus-stop-container
-s http://localhost:8080/wsrf/services/ShutdownService -m msg
Any given policy file lists zero or more attributes. In the case where more than one attribute is specified in a policy file, policy is satisfied if at least one attribute is satisfied. In other words, a logical OR semantic is applied within a given policy file. To express policy based on a logical AND semantic, a sequence of PDPs may be invoked.
Reconfigure the server system, issue a level 2 proxy credential on the client system, and request the SecurityContextEchoService on the server system:
SecurityContextEchoService on the server system.
echo-service-security-descriptor.xml, comment out this line
<authz value="secctxecho:org.globus.gridshib.GridShibPDP"/>and uncomment this line
<authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP
secctxecho:org.globus.gridshib.AttributeAcceptancePIP
secctxecho:org.globus.gridshib.SAMLBlacklistPDP
secctxecho1:org.globus.gridshib.SAMLMapPIP
secctxecho2:org.globus.gridshib.SAMLMapPIP
secctxecho1:org.globus.gridshib.SAMLAttributePDP
secctxecho2:org.globus.gridshib.SAMLAttributePDP
secctxecho3:org.globus.gridshib.SAMLAttributePDP"/>
This enables SAMLAttributePDP three times in the authorization chain. Each invocation of SAMLAttributePDP is associated with its own policy file. (See server-config.wsdd for the corresponding policy file configurations.)SecurityContextEchoService, authenticating with a level 2 proxy credential issued on the client system.
SAMLMapPIP and SAMLAttributePDP initialize in the container logs. UNIX:
$ $GRIDSHIB_HOME/bin/gridshib-saml-issuer \
--user trscavo --sender-vouches \
--config $GRIDSHIB_HOME/etc/my-saml-issuer.properties \
--authn --x509 --outfile /tmp/level1proxy.pem \
--authnMethod urn:oasis:names:tc:SAML:1.0:am:password \
--authnInstant 2008-01-24T16:29:18-0600
$ $GRIDSHIB_HOME/bin/gridshib-saml-info \
--infile /tmp/level1proxy.pem
$ $GRIDSHIB_HOME/bin/gridshib-saml-issuer \
--user trscavo --sender-vouches \
--config $GRIDSHIB_HOME/etc/my-other-saml-issuer.properties \
--x509 --outfile /tmp/level2proxy.pem \
--properties \
certLocation=file:///tmp/level1proxy.pem \
keyLocation=file:///tmp/level1proxy.pem
$ $GRIDSHIB_HOME/bin/gridshib-saml-info \
--infile /tmp/level2proxy.pem
$ export X509_USER_PROXY=/tmp/level2proxy.pem
Windows:
> %GRIDSHIB_HOME%\bin\gridshib-saml-issuer
--user trscavo --sender-vouches
--config %GRIDSHIB_HOME%\etc\my-saml-issuer.properties
--authn --x509 --outfile C:\Temp\level1proxy.pem
--authnMethod urn:oasis:names:tc:SAML:1.0:am:password
--authnInstant 2008-01-24T16:29:18-0600
> %GRIDSHIB_HOME%\bin\gridshib-saml-info
--infile C:\Temp\level1proxy.pem
> %GRIDSHIB_HOME%\bin\gridshib-saml-issuer
--user trscavo --sender-vouches
--config %GRIDSHIB_HOME%\etc\my-other-saml-issuer.properties
--x509 --outfile C:\Temp\level2proxy.pem
--properties
certLocation=file:///C:/Temp/level1proxy.pem
keyLocation=file:///C:/Temp/level1proxy.pem
> %GRIDSHIB_HOME%\bin\gridshib-saml-info
--infile %TEMP%\level2proxy.pem
> set X509_USER_PROXY=C:\Temp\level2proxy.pem
SAMLIdentity items (one from each certificate), one (1) SAMLAuthnContext item (from the level 1 proxy), five (5) BasicAttribute items (two from the EEC, two from the level 1 proxy, and one from the level 2 proxy), and seven (7) Principal items (three of which are username mappings).