Security token
From GEANT2-JRA1 Wiki
A security token represents the user's claims and it's used by the Authentication Service for authenticate him. In perfSONAR, there are two kind of security tokens:
- X.509 certificate
- SAML Assertion
[edit]
X.509 certificate
This kind of security token is an X.509 certificate issued by any valid CA in eduGAIN trust model. The list of valid CAs is:
- eduGAIN CA
- Subordinate eduGAIN CAs
However, the eduGAIN trust model and the associated certificate validation libraries are open to the introduction of CAs that are not subordinate to eduGAIN's root CA.
Certificates shall comply with the format specified for eduGAIN components, and shall hold an appropiate value in the Subject Alternative Name extension:
- An URN to be used through the eduGAIN MDS to locate the appropiate H-BE interface(s) for the client.
An example of a valid X.509 certificate is:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 36 (0x24)
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=net, DC=geant, CN=eduGAINSCA
Validity
Not Before: Mar 19 15:14:21 2007 GMT
Not After : Mar 18 15:14:21 2008 GMT
Subject: DC=net, DC=geant, CN=stromboli.switch.ch
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c8:2c:1d:e9:26:5f:c0:37:d5:94:52:d5:00:a2:
4a:d2:0a:4f:44:83:11:ec:8e:58:da:ef:b6:1f:58:
0e:0b:22:da:83:2d:9c:44:52:61:e3:7d:cf:d5:e2:
94:25:9a:ea:0a:c6:90:0f:fb:fb:7b:b5:50:3a:6d:
d9:27:7a:8d:47:04:92:ce:bb:63:c3:25:be:11:51:
fb:0c:86:53:5f:ab:2a:d8:85:d5:05:cc:e1:88:ad:
26:f6:af:eb:fc:08:44:46:96:5c:30:6c:07:83:bb:
b6:35:36:97:b1:df:71:40:10:3a:59:e5:b1:aa:ed:
3d:a4:0b:0a:64:7a:9e:6b:5b:42:1d:4b:ea:81:a2:
9c:db:ba:50:6c:26:90:20:6a:30:90:0e:8c:8a:c3:
35:66:44:8e:00:dc:1b:03:ca:68:0d:ad:20:63:4b:
15:e6:6e:26:c0:85:17:36:0e:9b:ae:cc:db:ea:3c:
81:e5:c2:c8:33:78:b6:c4:25:da:e8:26:93:1d:8d:
38:4f:00:7e:2f:9f:4f:6e:b4:af:8e:e0:8f:41:39:
c6:72:13:2b:28:1e:5b:a8:f6:97:5d:e5:3b:00:6b:
f4:b7:06:3e:9e:da:c6:79:d7:22:65:8b:2a:2f:25:
bd:78:b1:3c:ba:81:c6:6d:62:0a:e7:00:4e:24:bc:
ab:6f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
E2:B2:2D:99:AE:98:3C:17:01:0D:40:A6:8C:5C:C3:DA:35:D3:A4:06
X509v3 Authority Key Identifier:
keyid:8B:0F:8F:27:80:D2:93:D7:46:5D:91:84:BB:2E:98:62:AE:04:F1:D2
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
URI:urn:geant:eduroam:component:fedtls:switch
X509v3 CRL Distribution Points:
URI:http://www.rediris.es/pki/edugain/crl/cacrl.der
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.7547.2.0.2
Signature Algorithm: sha1WithRSAEncryption
93:c4:b3:31:c4:84:28:f9:0c:27:33:fe:b7:88:8d:9d:d0:fa:
13:c9:82:33:9c:51:91:ba:bf:4e:fb:2b:34:39:12:bf:5a:61:
30:41:d8:e7:15:93:6f:6d:1c:c6:22:fb:d1:f4:71:cb:47:6f:
e6:c7:1e:33:34:7e:52:04:de:4f:3a:d7:02:f8:d7:f4:9f:64:
55:4d:d6:b8:d3:4e:4b:a1:0e:42:9e:e0:fe:fe:2f:8a:0c:7f:
8f:26:7e:6f:c0:9a:39:47:61:62:43:07:9e:ba:5f:89:75:c8:
52:a6:38:05:2d:66:65:f1:5a:cc:85:d7:ae:71:57:58:b4:0b:
89:23:db:bf:fc:c6:e2:68:1d:5f:cc:cf:72:a2:30:df:a7:38:
9f:be:68:32:04:b2:e8:8c:40:a6:3c:36:28:f7:f0:48:90:e1:
ff:bc:8c:7a:c4:8a:8a:3c:9d:88:4b:e5:3a:28:7f:40:b0:eb:
65:16:4c:cc:ab:55:30:e1:b5:b2:55:60:a8:02:bc:d4:c7:a8:
bc:18:1e:27:47:09:04:84:77:8b:32:f8:b9:fb:6c:43:af:38:
7a:d8:0d:77:af:16:4e:70:30:81:ef:7c:0e:03:d5:d0:e0:10:
19:ad:61:ca:29:5c:33:94:b4:64:c2:4a:e5:f6:34:16:5c:69:
c1:b6:25:9f
[edit]
SAML Assertion
The SAML assertion is obtained by clients through the eduGAIN SSO profile.
A sample SAML assertion following that profile for a given client with the eduGAIN Cid:
urn:geant:edugain:component:perfsonarclient:NetflowClient10082
Acting on behalf of a user that it is identified by a Bridge Element (BE) with eduGAIN Cid:
urn:geant:edugain:component:idp:uninett:idp1
And connecting to a resource identified by
urn:geant:edugain:component:perfsonarresource:netflow.uninett.no/data
Should have a content as the one displayed below:
<?xml version="1.0" encoding="UTF-8"?>
<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:SAML:1.0:assertionfile:..../oasis-sstc-saml-schema-assertion-1.1.xsd"
MajorVersion="1" MinorVersion="1" AssertionID="100001"
Issuer="urn:geant:edugain:component:perfsonarclient:NetflowClient10082"
IssueInstant="2006-12-03T10:00:00Z">
<!-- An audience restriction, that will restrict this security token to be valid for one single resource only. -->
<Conditions>
<AudienceRestrictionCondition
<Audience>urn:geant:edugain:component:perfsonarresource:netflow.uninett.no/data</Audience>
</AudienceRestrictionCondition>
</Conditions>
<!-- The authNstatement issued by the client itself -->
<AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
AuthenticationInstant="2006-12-03T10:00:00Z">
<Subject>
<NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier">aksjc7e736452829we8</NameIdentifier>
<SubjectConfirmation>
<ConfirmationMethod>relayed-trust</ConfirmationMethod>
<SubjectConfirmationData>
<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsi="http://www.w3.org/2006/XMLSchema-instance"
MajorVersion="1" MinorVersion="1" AssertionID="_200001"
Issuer="urn:geant:edugain:component:idp:uninett:idp1"
IssueInstant="2006-12-03T10:00:00Z">
<!-- This inner assertion is limited to only be valid for the client performing the WebSSO
authentication. This inner assertion cannot be reused or used at all by others than the
NetflowClient10082 instance. But NetflowClient10082 can use it as an evidence when used inside an
assertion issued by NetflowClient10082 using the relayed-trust confirmationMethod. -->
<Conditions>
<AudienceRestrictionCondition>
<Audience>urn:geant:edugain:component:perfsonarclient:NetflowClient10082</Audience>
</AudienceRestrictionCondition>
</Conditions>
<!-- This is the inner authNstatement proving the authentication itself. These elements and attributes must
be identical in the inner and outer assertion:
- AuthenticationStatement@AuthenticationMethod
- AuthenticationStatement/Subject/NameIdentifier
The inner assertion confirmationMethod must be urn:oasis:names:tc:SAML:1.0:cm:bearer. -->
<AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
AuthenticationInstant="2006-12-03T10:00:00Z">
<Subject>
<NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier">aksjc7e736452829we8</NameIdentifier>
<SubjectConfirmation>
<ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod>
</SubjectConfirmation>
</Subject>
</AuthenticationStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<!-- Signed by the IdP (or Home Bridging element) -->
<SignedInfo>
<CanonicalizationMethod Algorithm="..."/>
<SignatureMethod Algorithm="..."/>
<Reference>
<DigestMethod Algorithm="..."/>
<DigestValue/>
</Reference>
</SignedInfo>
<SignatureValue/>
</Signature>
</Assertion>
</SubjectConfirmationData>
</SubjectConfirmation>
</Subject>
</AuthenticationStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<!-- Signed by client -->
<SignedInfo>
<CanonicalizationMethod Algorithm="..."/>
<SignatureMethod Algorithm="..."/>
<Reference>
<DigestMethod Algorithm=".."/>
<DigestValue/>
</Reference>
</SignedInfo>
<SignatureValue/>
</Signature>
</Assertion>
