MSO and multiple communities

[Dave Morris]

Both approaches have problems, and neither solves the complexity, it 
just moves it around.
As you say, choosing one or the other makes some things simpler, and 
others much more complex.

So far in AstroGrid Community, we have been working towards one globally 
unique Account, registered with a single Community.
The Community service manages identity for Accounts registered with that 
Community.
The Community service also manages membership of Groups registered with 
that Community.
An Account (identity) is registered with one Community, but will be a 
member of multiple Groups at multiple Communities.
Access rights are checked based on membership of groups (credentials).

This is a rough outline of the kind of thing we were aiming for (some of 
this is out of date now).
http://wiki.astrogrid.org/bin/view/Astrogrid/CrossCommunityPolicyChecking

Would it work if a Community issued a warrant (certificate) when an 
Account joined a Group at that Community ?
An Account would then have a primary identity certificate signed by 
their 'home' Community, to prove who they are, plus a set of membership 
certificates signed by other Communities to prove that they belong to 
Groups on those Communities.

Dave

Guy Rixon wrote:

>In light of Tony's last message, I ask the group whether we are to proceed
>with the abilities to have accounts at more than one community, to federate
>communities and to allow credentials for an SSO session to be collected from
>more than one server. If not, then the nature of the system is changed; some
>processes are simplified and some are made impossible.
>
>I don't mind changing tack if there is consensus, but I need to know which
>way we're going before I finish the SSO document-set.
>
>Cheers,
>Guy
>
>Guy Rixon 				        gtr at ast.cam.ac.uk
>Institute of Astronomy   	                Tel: +44-1223-337542
>Madingley Road, Cambridge, UK, CB3 0HA		Fax: +44-1223-337523
>  
>