SSO authentication: a new approach

Ray Plante rplante at ncsa.uiuc.edu
Sun Mar 20 22:45:32 PST 2005 

On Sat, 19 Mar 2005, Guy Rixon wrote:
> it's always been the AstroGrid plan that group membership would be managed in
> community services, not at service-provider sites. This is to remove from
> the providers the admin burden of herding ~10,000 users.

I think this needs some thought.  Groups are the focal point of  
authorization policies which are decided ultimately by service providers.
I think that they will want full control over their creation and 
management.  In practice, I envision groups be created at the portal 
level.  

Consider the case of the PI-driven observatory.  They will be continuously 
creating many groups around telescope proposals to support propietary 
access to data.  It is not until a particular group created by the 
observatory wants to interoperate at a broader level--that is, the group 
wants additional priviledges from other sites assigned to that group--that 
community coordination becomes necessary.  I can think of several ways to 
handle this:

  a. the observatory uses a community service to define the group.  This 
     can be probablamatic for the observatory if access to the community 
     service is occasionaly disrupted.  

  b. the observatory defines the group themselves, but uses a community 
     service to register it.  The intended difference here is that 
     registering is not required to start assigning local priviledges and 
     letting the users use it.  Registration could be 
     user-triggered; that is, postponed until the group wants to 
     explicitly "go global".  

  c. don't have any community-wide notion of a group because, perhaps, 
     it's not needed.  Groups would only be defined on a per-portal basis.  
     As long as we have community-recognized user identities, portals and 
     services will always be able to resolve a user's priviledges.  The 
     fact that they operate as a member of one group and from a different 
     one at another site may not matter.  Of course, we still need the 
     community notion of an anonymous group...

It sounds like you Astrogrid guys have some use cases/examples in mind 
about how you see this working for you.  Anything written out I could 
look at? 

cheers,
Ray

More information about the grid mailing list