Multiple sign-on
Guy Rixon
gtr at ast.cam.ac.uk
Tue Jul 6 01:33:35 PDT 2004
Dave Morris has rightly pointed out that our SSO scheme needs multiple
sign-ons when the user uses privileges granted to accounts in different
communities. I think we have multiple sign-on (MSO) geographically but not
temporally: a user or his/her agent will need to talk to multiple communities
once per session, but won't need to sign on again in the middle of a session.
I have in mind that there can be multiple accounts, at different communities,
for the same user identity. I.e. a user identity is not synonymous with and
account name; rather, a user identity _has_ one or more accounts.
It should then be possible to determine all accounts (plus hosting
communities) for a given user id and to log in to them all at the same time.
This can either be done by the user entering one password per community or by
federating the communities: user logs into community A using a SSO password;
communities B and C trust A as a CA; therefore, user's agent logs into B and C
using the warrant got by logging in to A.
In respect of "determining all accounts for a given user", we _could_ do this
using the resource registry if users and accounts are registered resources.
Please see
http://wiki.astrogrid.org/bin/view/AG2/MaxRegistryUsage
for a discussion of this. At the moment, I _like_ the idea of putting users
in the resource registry...but it needs discussion to sort out the true
strengths and weaknesses.
Regards,
Guy
Guy Rixon gtr at ast.cam.ac.uk
Institute of Astronomy Tel: +44-1223-337542
Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523
More information about the grid
mailing list