Minutes by Gabriele Garzoglio
* Vincenzo Ciaschini: SAML-based VOMS:
Subject of AttributeQuery must match the issuer. This way one can only request his own credentials. We are currently discussing whether we should let users to get credentials for others users.
The VOMS response is a SAML assertion.
Condition element is used to specify duration
Attribute element contains FQAN and GA
The service runs as Tomcat 5.5. Today, to gain the info about a user, one must be able to authenticate as the user. However, we are integrating trustmanager to allow the interaction with services, if they have the user Proxies.
Where are the SAML assertions put?
AC are inserted into a user Proxy. We do the same with SAML assertions. Alternatives considered: adding the assertion to WS-Security via SOAP.
Issue: Naming of the attributes. They are not finalized yet. Will write doc to explain the syntax and synchronize with other people's attributes (NAREGI, etc.).
Problem with the protocol of attribute assignment: conflict between what SAML specifies and the requirement of making the content consistent with AC.
Details: when writing an attribute query, one can ask single attributes. When this is done, the SAML protocol says that the assertion must contain only a subset of the attributes in the query, but NOT extra attributes. Membership in groups maybe denied if one requests only an attribute. Planning to solve this returning an empty assertion OR ...
---
* Morris Riedel: Usage of VOMS SAML:
OMII - Europe: working on interoperability via standards.
Working in the context of JRA1 and 3. VOMS is one of the security profiles identified for interoperability.
A drawback of VOMS was that it required the glite infrastructure for building and running. Also, VOMS didn't really work with UNICORE.
Advantages now: WS-Clients can use SAML XSD schemas to access VOMS. Also, now working without gLite...
Vincenzo: not completely true: still need admin interface to interact with the db.
We could re-engineering VOMS admin.
Oscar: are you sure you want to do it? Today it's easy to install, configure and use.
Vincenzo: otherwise you can fill in the db schema by hand: it's easy enough. The only drawbacks are
- voms-admin masks possible schema changes
- voms-admin also check consistency of the db information.
Vincenzo comment: "Apparently this did not come out correctly. The intent here was to express exactly the opposite. Working directly with the DB is not simple and it is unsupported. If you do it, you are on your own when something breaks. Also, there is no plan in the JRA1 VOM OMII activity to rewrite voms-admin."
We use test infrastructures to try interoperability scenarios. SAML-based VOMS is not gLite-specific anymore. VOMS is self-contained... (except the voms-admin i.e. 1 rpm).
Test scenario: UNICORE 6 supporting SAML-based voms. Demonstrated at OGF-20 in Manchester.
CREAM also supports SAML assertions.
PDP problem: VOMS is a PIP: now that we have the SAML assertion, how do we use it?
Background: UNICORE 6 is based on XACML policies. We don't use the user proxies: using WS security extensions
Solution: SAML assertions are used in conjunction with the XACML DB to provide fine-graned access to resources.
Other approaches: GP-BOX.
We still need to do this with CREAM, etc.
It is a good base for interoperability and role-based access to resources.
Christoph: assertion is signed by VOMS server, but is it encrypted ?
Vincenzo: No.
Example at the blackboard:
<soapheader saml:...>
</soapheader>
<soapbody>
OGSABES
JSDL
</soapbody>
In the backend there must be policies for OGSABES, etc.
This all mechanism is basically working.
What are the benefits? Why do we do this?
The WISDOM project is a use case of where this is useful. The output of the project is a list of chemical components, potential drugs. The output must be refined. The initial grid can be done on the grid, then the refining is done optimally on supercomputing. Having interoperability of the grid and supercomputers (DEISA) is key to enable this.
Possible next steps: delegation mechanisms with SAML
Contact Morris Riedel or Vincenzo for pointers to documentation.
Call for papers: IGIIW @ e-Science 2007.
Question:
- Ian: when you define the encoding of group, roles etc., how do you define how these structures are interpreted at the resource?
Vincenzo: the intended basic semantics is documented. We'll write new versions of documentation to clarify unclear points, using your input.
Oscar: the doc does not explain how the attributes are used.
Vincenzo: we'll write about this and send it around for comments.