ShibGrid architecture meeting 9 March 2006

Present: Matt Viljoen, Jens Jensen, David Spence, David Wallom and Mark Norman

David showed us his great work in fleshing out the high level architecture (see [http://users.ox.ac.uk/~markn/wikifiles/Shib%20Arch.pdf architecture pdf] - N.B. "CDR"=Corporate Data Repository). This effectively covers the use case of the user who does not havr a certificate and gets a lower assurance certificate from myProxy.

The other use case (to be drawn up) involves where the user has (or puts) a proxy certificate in the myProxy server.

DNs on short-lived certificates

One idea that the IdP/AA should hold the DNs so that they can be mapped through to the eventual short-term certificate generated by myProxy (so that AuthZ would occur seamlessly across the NGS via known DNs). However, it is likely that the DN for a person without a certifiate can be generated via an algorithm at myProxy or the portal.

• N.B. in future (possibly beyond this project) we would need a way of mapping DNs so that the low assertion level DN is later mapped to a higher assertion level certificate DN if the user decides to get a long term certificate. (To avoid them having to register twice at the NGS).

Second scenario (user has long-term cert. and wants to put a proxy in myProxy)

There is a second myProxy server on the same machine.

• (One is integrated with kerberosCA for scenario 1, but both need to be made to talk to single sign on and Shibboleth somehow).

The user generates the proxy certificate on their client and uploads it into myProxy. The current upload tool is difficult to use and would not fit this purpose. Therefore, David is to work on his own Java upload tool - probably accessed from a web page - so that we know the Shib 'identity' when the certificate is uploaded (to avoid the user having to invoke her SSO credentials as well as their own myProxy username/password).

• N.B. We