Advanced notice :
We will be upgrading wiki.geant.org from the current version of Confluence Server to the current LTS version 8.5. During the maintenance window we expect that there will be an outage of 20 minutes.
Maintenance start time: 22/10/2024 16:00 UTC. Maintenance end time: 22/10/2024 18:00 UTC.
...
Although this may not be the interpretationactual implementation for every use case, we will assume that every authorization model within a community can be modeled as users' membership to groups created in the organization.
One of the goals of the best practices described in this document is that authorization and authentication information can be provided by separated entities, similarly to what may happen in a federated identity scenario, where the IdPs provide the authentication information and the authorization attributes are provided by attribute authorities managed by the communities or other third parties. A similar approach should be implemented for the X.509 credentials, as shown in the following figure.
The information form the IdP are used by a certification authority to create a personal certificate with the authentication information of the user, while the group membership attributes are used by an X.509 group management to extend the user certificate with group membership information.
Translating authentication information
IGTF is the most relevant X.509 certification authorities federation for research infrastructures and e-infrastructures worldwide. the CA federated in IGTF are commonly accepted by EGI, PRACE, EUDAT, OGF and many other service providers federation in the world. This paragraph will focus on the IGTF profile for X.509 certificates as described by the existing policies.
The following are (some of the) the attributes that are permitted in the end entity certificate DN:
DC: Domain
C: Country
L: Locality
O: Organization
CN: Common name
The following is an example of a complete certificate DN:
/C=NL/O=NIKHEF/CN=NIKHEF medium-security certification auth
/O=dutchgrid/O=users/O=egi/CN=Peter Solagna
The first line is the namespace, which usually within IGTF identifies the certification authority, and the second line are the attributes specific of the user. The CA prefix is unique within IGTF (between certification authorities) and the user CN must be unique within the namespace.
The recommendations for the user CN are the following:
- CN attribute shall be a combination of the SAML attribute "displayName" and the eduPersonUniqueID
- If eduPersonUniqueID is not released eduPersonPrincipalName shall be used
- if eduPersonPrincipalName is not released eduPersonTargetedID shall be used
- The CA must ensure that the CN is unique within their namespace
References
•MJRA1.3: Design for the integration of an Attribute Management Tool
...