Ticket #1093 (closed task: fixed)

Opened 9 years ago

Last modified 9 years ago

[S] Change MyProxy CA config to write user OpenID into issued cert. DN

Reported by: pjkersha Owned by: pjkersha
Priority: required Milestone: CMIP5 Security
Component: security Version:
Keywords: Cc:

Description

The CEDA MyProxy service dynamically issues user certificates based on CEDA users credentials held in the database. Currently it sets a new certificate with a DN containing the user's username. Change this to add the user's OpenID instead. e.g.

/O=STFC/OU=CEDA/CN=https://mycedaopenid/MyName

This has been agreed as the standard way to represent user DNs in the ESG federation (Luca, Rachana and Phil e-mail correspondence).

MyProxy version >= 4.6 is required to support this. There is still some doubt as to whether the DN specification allows for all the characters that are allowed in a URL. '&' and '?' could be problematic but we do not expect to support OpenIDs containing URL query parameters.

The fallback is that the OpenID is provided in the embedded SAML assertion contained in the X.509 certificate extension.

Change History

comment:1 Changed 9 years ago by pjkersha

  • Status changed from new to closed
  • Resolution set to fixed

Updated by changing the config settings for the MyProxy Certificate plugin app. ndg.security.server.myproxy.certificate_extapp.saml_attribute_assertion on the MyProxy Server host.

Note: See TracTickets for help on using tickets.