MSO and multiple communities

[Clive Page]

On Tue, 6 Jul 2004, Guy Rixon wrote:

> In light of Tony's last message, I ask the group whether we are to proceed
> with the abilities to have accounts at more than one community, to federate
> communities and to allow credentials for an SSO session to be collected from
> more than one server. If not, then the nature of the system is changed; some
> processes are simplified and some are made impossible.

I think the last two postings appear to be at odds because of different
shades of meaning attached to terms like group, community, and account.

Surely the functionality requirements for SSO are now as clear (or at
least as clear as anything in the VO):

- User should only have to log on with a user-id and password only once
per computer session, no matter how many sites, at home or abroad, to
which the user has privileged access.

Now I'm no expert on implementation, but I guess this could be done by the
user having a digital certificate (issued by a UK Certification Authority)
stored somewhere on the file system of all the computers he/she uses.
The user obviously will have to log in *once* with a password at the start
of a session with that computer, to some site which will confirm their
identity (otherwise any other user of the same computer could impersonate
them).  Once authenticated, they presumably get some token (via a cookie
mechanism?) which can be used elsewhere, indeed everywhere else that they
have an account.

If the user then access a site which is part of the Erewhon Virtual
Observatory where they are part of a group (or community?) with special
privileges, they should be able to use their existing UK digital
certificate plus the session token to get access to their account
without explicitly logging on, i.e. entering a password again.
The Erewhon system recognises their digital certificate as identifying
them as a member of some local Erewhon group, while the token says they
have validly logged in someplace.  This seems to conform to the usual
security criterion that you use one thing you have (the certificate) as
well as one thing you know (your password) for the initial log on.

Of course this will only work if the Erewhon authorities recognise UK
digital certificates and tokens; presumably (as with visa tit-for-tats)
this will depend on the UK recognising the same for the citizens of what
Guy means by a federated community.  I don't see why it should not work,
that that's more sociology than science.

Using what I think I understand to be Guy's terminolgy, such a user still
belongs only to a UK "community", but also belongs to a Erewhonian
"group". The user has an "account" on at least one system in the UK and
one in Erewhon, but only has to log on explicitly to one of these.

Does this conform to Tony's requirements, and is it feasible?

But this raises one extra question: does it have to be the local UK system
that is the only one to generate a valid session token, or could the user
log on first to Erewhon, and then use the token this generates to access a
UK site?  If the user's initial password is only decryptable on a UK
authentication server, then I guess the user has to log on *first* to a
system in the UK.  Or is there some way around this?

Another question: are these certificates issued per country, or per
institution?  If the former then I guess we want one PPARC-wide
authentication server for us in the UK; if the latter, then a lot more
federation and mutual recognition agreements have to be sorted out.

-- 
Clive Page
Dept of Physics & Astronomy,
University of Leicester,
Leicester, LE1 7RH,  U.K.