Integration of grids and Shibboleth is being hampered because a users attributes are typically held in different locations, under different identifiers, and there is no coherent way of collecting them together and validating that they all belong to the same user so that they can be used for authorization of the user's request.
This project proposes to address this directly. Specifically the objectives of this project are to:
Work with the international community, primarily the Internet2 consortium and the Globus Consortium, but including SWITCH, TERENA and others, to develop the Shibboleth protocol specifications, based on SAMLv2 and other protocols, that will allow a Shibboleth service provider (SP) to collect together a user's attributes from multiple authorities, whilst preserving the user's privacy, so that the aggregated attributes can be used to authorise the user's request. This will significantly ease the integration of Shibboleth with grids. However, the resulting attribute aggregation protocol will be of benefit to any Shibboleth enabled SP be it a web service, a grid service, or a conventional Shibboleth SP etc.
Build a Policy Information Point (the nAA-PIP) that will evaluate the collected attributes (or credentials) according to the configured trust policy of the Service Provider (SP) and will return the valid set of attributes to the SP's Policy Enforcement Point (PEP). The PEP can then pass the complete set of validated and aggregated attributes to a conventional Policy Decision Point (PDP) for it to make access control decisions. The nAA-PIP will be fully standards conformant, and will be called by the SP through either the standard web services protocol that is being defined by the OGSA-Authz WG or by a Java API that is already implemented in Globus Toolkit and is also due to be published by the OGSA-Authz WG.
Implement the aggregation protocol within the nAA-PIP so that it is capable of collecting the attributes itself from the multiple authorities, prior to validation.
Build a pilot demonstrator for the National Grid Service that will show how attributes from multiple AAs can be integrated together and used in authorisation decision making at grid sites that use shibboleth IdPs.
release all the developed software as open source code through NMI/OMII to the community at large, with a full set of specifications and documentation