I just want to add that this sounds like something GridShib was designed to support:
http://gridshib.globus.org/docs/gridshib-saml-tools http://gridshib.globus.org/docs/gridshib-gt At least it may be worthwhile to look at GridShib as an example. Rachana Ananthakrishnan wrote: > Hi, > > From your description it looks like you will need to write custom > authorization modules for your service, that looks at the client's > credential and the SAML attributes to determine if the operation is > allowed and the account to use for the operation. The exact policy is > unclear to me. It appears to me that you want either certificates signed > by a particular service certificate or some specific SAML attributes to > determine if the user can perform an operation and the local account to > use - is this correct? > > Here is reference to the general documentation on the server side > authorization piece: > http://www.globus.org/toolkit/docs/latest-stable/security/wsaajava/developer/#id2483303 > > > This talks about writing custom server side authorization modules: > http://www.globus.org/toolkit/docs/latest-stable/security/wsaajava/developer/#wsaajava-domain-serverAuthz-custom. > > > Configuration is described here: > http://www.globus.org/toolkit/docs/latest-stable/security/wsaajava/developer/#wsaajava-domain-serverAuthz-custom > > > You could approach this by writing a PIP to handle the SAML attribute, a > PDP to validate that the certificate is signed by some trusted identity > and another PDP that enforces policy about the SAML attributes. The > combining algorithm described in the documentation can be used to > determine how you want to combine the policy across the PDPs. > > Hope this helps, > Rachana > > On Sep 29, 2009, at 5:27 AM, Stefan E. Funk wrote: > >> Dear Globus Users, >> >> I just installed a brandnew Globus Toolkit 4.2.1 and I wonder, if I >> can use >> some PEPs and PIPs to decide the following: >> >> Working with Grid user certificates and a server certificate I want to >> map all >> user certificates to a certain Unix user (from the grid-mapfile), that >> are >> either signed by the above mentioned server certificate, or maybe have >> instead >> some additional SAML attributes in the user certificate. >> >> We are using a CreateReadUpdateDelete service in the TextGrid project >> to write >> to the Grid, and want to allow this service to write to the Grid only >> if users >> address that service, that are owning a Grid certificate (because our >> resource >> providers want to know exactly, who accesses the Grid). So we want to >> write as >> the service Grid user (to access the services' directory), if the user's >> certificate is signed by the services' certificate and to write as the >> user >> (to access the user's home directory), if not. >> >> Has someone experience with those issues or does someone know, how to >> configure the PEPs and PIPs? I couldn't find much information >> concerning those >> issues. >> >> Thank you for any help. >> All the best. >> Stefan. >> >> >> -- >> ----------------------------------------------------------------------- >> Stefan E. Funk >> DAASI International GmbH Phone DAASI : +49 7071 407109-6 >> Europaplatz 3 Phone SUB : +49 551 39-7700/12170 >> D-72072 Tübingen Email : stefan.f...@daasi.de >> Germany Web : http://www.daasi.de >> >> Directory Applications for Advanced Security and Information Management >> -----------------------------------------------------------------------
smime.p7s
Description: S/MIME Cryptographic Signature
