Wednesday, July 23, 2008

SAML Holder-of-Key SSO Profile Handler

Today I updated the wiki on the SAML Holder-of-Key GSoC project. For those of you not familiar with the project, during the last few months I implemented a Holder-of-Key Single Sign-On profile handler for a SAML Identity Provider (the Shibboleth IdP). With this profile handler, a Shibboleth IdP can issue holder-of-key SAML assertions to property authenticated non-browser users.

In this scenario, a non-browser client (in my implementation, an HTTP User Agent written in Java) issues a SAML Request and sends it together with a self-signed X.509 certificate to the SAML IdP. The user behind the User Agent authenticates to the IdP with a username/password via HTTP basic auth. The IdP binds the key in the certificate to the SAML holder-of-key assertion, signs it and returns it to the User Agent. A demo of this message exchange is hosted at NCSA. Instructions for how to build and install the Holder-of-Key SSO profile handler are available at the project wiki. Any comments are most welcome.

As we approach the official end of the program, I must say it has been very exciting to work with Globus. The Globus developer community is friendly and helpful at all times. Also, Tom Scavo is the perfect mentor: he gives me freedom to be creative and proper guidance so I don't deviate too much from the right path :-)

No comments: