MSO and multiple communities

Guy Rixon gtr at ast.cam.ac.uk
Tue Jul 6 05:52:01 PDT 2004 

Pure SSO has a problem if service providers are picky about which communities
they trust.

Suppose user U joins community A. Service providers X and Y trust
A, therefore accept requests from U(A). Service provider Z doesn't trust A but
does trust community B. Therefore, U joins B as well and Z accepts requests
from U(B). U then needs to combine X, Y and Z in one workflow and therefore
needs to be U(A) and U(B) at the same time.


On Tue, 6 Jul 2004, Tony Linde wrote:

> Is there any reason why we would want to implement MSO?
>
> To my mind it adds nothing that cannot be achieved with groups since anyone
> can be made a member of a group regardless of the community to which they
> first registered. And it introduces the complexity of trying to recognise
> where multiple accounts belong to the same person and reconciling the
> privileges associated with each account.
>
> There won't be anything to stop a person having more than one account but if
> they do so they can only use the privileges associated with their sign-on
> account - under SSO that is. I suppose that if there is a later need for MSO
> recognised then it is something that can be added onto the VObs standards.
> But if we implement MSO, there'll be no going back to SSO - and it'll take a
> lot more to design it right and get it working I would have thought.
>
> Can anyone think of use cases which demonstrate an advantage to MSO?
>
> > to federate communities and to allow
> > credentials for an SSO session to be collected from more than
> > one server.
>
> How do these relate to SSO vs MSO? (My apologies if these have already been
> discussed - I've been tied up recently - point me at past threads if so.)
>
> Cheers,
> Tony.
>
> > -----Original Message-----
> > From: owner-grid at eso.org [mailto:owner-grid at eso.org] On
> > Behalf Of Guy Rixon
> > Sent: 06 July 2004 12:17
> > To: grid at ivoa.net
> > Subject: MSO and multiple communities
> >
> > In light of Tony's last message, I ask the group whether we
> > are to proceed with the abilities to have accounts at more
> > than one community, to federate communities and to allow
> > credentials for an SSO session to be collected from more than
> > one server. If not, then the nature of the system is changed;
> > some processes are simplified and some are made impossible.
> >
> > I don't mind changing tack if there is consensus, but I need
> > to know which way we're going before I finish the SSO document-set.
> >
> > Cheers,
> > Guy
> >
> > Guy Rixon 				        gtr at ast.cam.ac.uk
> > Institute of Astronomy   	                Tel: +44-1223-337542
> > Madingley Road, Cambridge, UK, CB3 0HA		Fax:
> > +44-1223-337523
> >
>

Guy Rixon 				        gtr at ast.cam.ac.uk
Institute of Astronomy   	                Tel: +44-1223-337542
Madingley Road, Cambridge, UK, CB3 0HA		Fax: +44-1223-337523

More information about the grid mailing list