Information Technology Reference
In-Depth Information
term an attribute release policy. Both users and administrators should
have some say over the contents of their attribute release policies.
Shibboleth offers numerous possibilities and potential advantages in
the context of the grid. Single sign-on via authentication at a home site and
subsequent acceptance and recognition of the authentication and associ-
ated attributes released to remote sites is the most obvious advantage.
Thus users need not remember X.509 certii cate passwords but require
only their own institutional usernames and passwords. Institutions can
establish their own trust federations and agree and dei ne their own poli-
cies on attribute release, and importantly SPs can decide upon what attri-
butes and attribute values are needed for authorization decisions.
The uptake and adoption of Shibboleth technologies within a grid con-
text is not without potential concerns however. Sites need to be sure that
collaborating sites have adopted appropriate security policies for authen-
tication. Strength of user passwords and unii ed account management
across sites is needed. Shibboleth is also by its very nature much more
static than the true vision of the grid, where VOs can be dynamically estab-
lished linking disparate computational and data resources at runtime.
Instead Shibboleth requires agreed sets of attributes that have been negoti-
ated between sites. The UK Federation, for example, is based around the
exchange of a small agreed set of eduPerson attributes [18] between IdPs
and SPs in the federation.
It is important to note that these attributes are typically statically dei ned
and agreed upon between the institutions prior to joining the federation,
and hence before any formulation of VOs or requests to access grid resources;
that is, they are based upon statically dei ned PMIs. This is often sufi cient
to allow access to certain resources; that is, a given e-journal, for example,
requires the SP only to know that the individual accessing the resource is
from an institution that has paid their subscription for that journal. In the
context of the grid, membership of an institution will not typically be sufi -
cient information for a decision on access to a specii c grid service hosted
and managed by a given VO. Rather, VO-specii c attributes are needed. This
requires more dynamic models of attribute creation and assignment.
The JISC-funded DyVOSE project [19] developed solutions that allow for
the dynamic creation and acceptance of attributes targeted to the specii c
needs of different VOs. This is more aligned with the dynamic creation of
VOs across grid infrastructures where dynamic delegation of privilege is
supported. As the complexity and number of security policies increase,
the ability of a given SoA to delegate responsibility to others is necessary.
Through extensions to the PERMIS software, the DyVOSE supported
dynamic delegation of authority whereby grid sites were able to allow an
attribute authority controlled by an external SoA to be delegated the abil-
ity to assign roles meaningful to a home SoA. Through this, a remote grid
user could hold a role based in the home institution that will allow access
to potentially remote service provider grid resources.
Search WWH ::
Custom Search