Multiple sign-on

Tony Linde ael at star.le.ac.uk
Tue Jul 6 02:25:30 PDT 2004 

I think it would be fatal to assume multiple community accounts per user
identity. Why on earth would we want it? The whole idea is to have a single
identity/account and for that to be valid at all locations. 

The user will gather multiple privileges from belonging to multiple groups,
not multiple communities. Belonging to a community will confer no privileges
on a user. Just because I register my account through Leicester does not
mean I have any rights over any data. I only gather those rights by being
granted membership of various groups.

MSO really must be avoided or we'll end up in a complete mess.

Cheers,
Tony. 

> -----Original Message-----
> From: owner-grid at eso.org [mailto:owner-grid at eso.org] On 
> Behalf Of Guy Rixon
> Sent: 06 July 2004 09:34
> To: grid at ivoa.net
> Subject: Multiple sign-on
> 
> Dave Morris has rightly pointed out that our SSO scheme needs 
> multiple sign-ons when the user uses privileges granted to 
> accounts in different communities. I think we have multiple 
> sign-on (MSO) geographically but not
> temporally: a user or his/her agent will need to talk to 
> multiple communities once per session, but won't need to sign 
> on again in the middle of a session.
> 
> I have in mind that there can be multiple accounts, at 
> different communities, for the same user identity.  I.e. a 
> user identity is not synonymous with and account name; 
> rather, a user identity _has_ one or more accounts.
> 
> It should then be possible to determine all accounts (plus hosting
> communities) for a given user id and to log in to them all at 
> the same time.
> This can either be done by the user entering one password per 
> community or by federating the communities: user logs into 
> community A using a SSO password; communities B and C trust A 
> as a CA; therefore, user's agent logs into B and C using the 
> warrant got by logging in to A.
> 
> In respect of "determining all accounts for a given user", we 
> _could_ do this using the resource registry if users and 
> accounts are registered resources.
> Please see
> 
> http://wiki.astrogrid.org/bin/view/AG2/MaxRegistryUsage
> 
> for a discussion of this.  At the moment, I _like_ the idea 
> of putting users in the resource registry...but it needs 
> discussion to sort out the true strengths and weaknesses.
> 
> Regards,
> Guy
> 
> Guy Rixon 				        gtr at ast.cam.ac.uk
> Institute of Astronomy   	                Tel: +44-1223-337542
> Madingley Road, Cambridge, UK, CB3 0HA		Fax: 
> +44-1223-337523
>

More information about the grid mailing list