SSO authentication: a new approach

[Guy Rixon]

Ray,

it's always been the AstroGrid plan that group membership would be managed in
community services, not at service-provider sites. This is to remove from
the providers the admin burden of herding ~10,000 users.

Cheers,
Guy

On Wed, 16 Mar 2005, Ray Plante wrote:

> On Wed, 16 Mar 2005, Paul Harrison wrote:
> > What makes it a pain normally to get a certificate (in the UK at least)
> > is that once you have made the certificate request with the shared
> > secret from your private key, you are expected to turn up in person at
> > the CA before they will push the button to send the signed certificate
> > back to you - we could relax that process so that the CA always will
> > return the signed certificate without this human step. At which point
> > the identity confirmed by the certificate is effectively a member of the
> > anonymous community - for this identity to be admitted into other more
> > priviledged communities perhaps they would have to undergo some more
> > rigorous identity check. It means that when checking for authority to do
> > an operation, the priviledges will have been assigned to communities and
> >   then a community service will have to be consulted to check it the
> > identity belongs to the community.
>
> This seems a reasonable alternative.  I had had the idea that
> authorization policy should set locally by service providers; however,
> this plan would require this association with the anonymous community at a
> higher (say, VO project) level.
>
> (Thanks for pushing on this thread!)
>
> cheers,
> Ray
>

Guy Rixon 				        gtr at ast.cam.ac.uk
Institute of Astronomy   	                Tel: +44-1223-337542
Madingley Road, Cambridge, UK, CB3 0HA		Fax: +44-1223-337523