Biomedical Engineering Reference
In-Depth Information
services. Authentication is handled by an authentication service that provides
a consistent front end to a variety of technologies such as Lightweight Directory
Access Protocol (LDAP) or Shibboleth (http://shibboleth.internet2.edu/) and
Dorian, a caBIG service that accepts signed Security Access Markup Language
(SAML) assertions from the authentication service and provides X.509 proxies
(a type of digital certifi cate) for invoking secure services. The grid trust service
(GTS) mediates trust by verifying that SAML assertions or X.509 certifi cates
are from trusted sources, while the credential delegation service (CDS) pro-
vides a means to delegate credentials during workfl ows. Authorization is del-
egated to the receiving service, which can utilize the caBIG developed grid
grouper to assign roles and attributes to credentials that are requesting access.
The general fl ow of accessing a secured grid service is shown in Figure 17.4.
On the policy side, the DSIC workspace and its associated knowledge
center (see below) provide leadership to the caBIG community. The primary
product of the DSIC workspace is the caBIG data sharing and security frame-
work (DSSF), a collection of policies, procedures, and model agreements that
can be used to support data sharing [33]. The central element of the DSSF is
the DSSF decision support tree that is used to help classify the level of sensi-
tivity of data. Supporting the primary DSSF components are a series of deci-
sion support tools for human research, privacy, contract terms, and intellectual
property issues—a model informed consent document and other associated
Authentication Service
1
SAML Asssertion
6
Client
4
Secure Service
2
5
Grid Certificate
3
Dorian
GTS
Figure 17.4
Invoking a secure service in caGrid.
Search WWH ::
Custom Search