Access Keys:
Skip to content (Access Key - 0)

CDS

Delegating a Credential

[ CDS: Administrators Guide | Design | Developers Guide | Users Guide | caGrid: Documentation Guides ]

Overview

The Credential Delegation Service (CDS) allows a user/service (delegator) to delegate their credential to other user/services (delegatee). To delegate a credential the delegator must specify the following:

  1. Delegation Service - The Service URL of the delegation service.
  2. Credential - The credential to delegate.
  3. Delegation Lifetime - The amount of time that the CDS will be allowed to issue credentials to third parties for.
  4. Delegation Path Length - A path length specifies the length of a credential chain. For example a credential with a length of 2 means that the credential can be delegated to a second party and the second party could in turn delegate the credential to a third party at which point the third party can no longer delegate the credential. The Delegation Path Length specifies the path length of credential being delegated to the CDS. The credential being delegated to the CDS will be used for issuing credentials to third party, thus at minimum the delegation path length must be 1. A delegation path length of 1 will suffice for the majority of use cases.
  5. Issued Credential Lifetime - The amount of time that credentials issued by the CDS to third parties will be valid for.
  6. Issued Credential Path Length - A path length specifies the length of a credential chain. For example a credential with a length of 2 means that the credential can be delegated to a second party and the second party could in turn delegate the credential to a third party at which point the third party can no longer delegate the credential. The Issued Credential Path Length specifies the path length of the credentials issued to third parties. An Issued Credential Path Length of 0 indicates that the third party may not further delegate the user's credential.
  7. Delegation Policy - The Delegation Policy specifies which parties are allowed to obtain a delegator's credential.

The CDS was designed to support multiple delegation policy types. In this guide we will provide instruction on how to delegate a credential with a Identity Delegation Policy as well as with a Group Delegation Policy.

Delegate a Credential (Identity Delegation Policy)

Delegating a credential with a Identity Delegation Policy enables the delegator to provide a list of identities or delegatees that may have access to their credential.  The GAARDS UI provides a mechanism for delegating credentials, to delegate a credential with the GAARDS UI complete the following steps:

  1. Launch the GAARDS UI.
  2. Login using your user account.
  3. From the MyAccount menu select Delegate Credential, this will launch the Delegate Credential Step 1 of 2 window.
  4. From the Delegation Service drop down select the Credential Delegation Service to delegate you credential to.
  5. From the Credential drop down select the credential to delegate.
  6. From the Delegation Lifetime drop downs specify how long the CDS may delegate your credential for.
  7. From the Delegation Path Length drop select 1.
  8. From the Issued Credential Lifetime drop downs specify how long the credentials issued to third parties by the CDS should be valid for.
  9. From the Issued Credential Length drop select 0.
  10. From the Delegation Policy drop down select Identity Delegation Policy.
  11. Click the Delegate button, this will launch the Delegate Credential Step 2 of 2 window which will allow you to specify your delegation policy.
  12. To give a party the ability to obtain a delegate credential enter the Grid Identity of the party in the Grid Identity text field and click the Add button. Repeat this step for each party you wish to delegate your credential to. All parties in which you have granted the ability to obtain your credential will be listed in the table above the Grid Identity text field.
  13. Click the Delegate button to delegate your credential.

Delegate Credential

Identity Delegation Policy

Delegate a Credential (Group Delegation Policy)

Delegated a credential with a Group Delegation Policy enables the delegator to specify a Grid Grouper group such that the members of the group may have access to their credential. The GAARDS UI provides a mechanism for delegating credentials, to delegate a credential with the GAARDS UI complete the following steps:

  1. Launch the GAARDS UI.
  2. Login using your user account.
  3. From the MyAccount menu select Delegate Credential, this will launch the Delegate Credential Step 1 of 2 window.
  4. From the Delegation Service drop down select the Credential Delegation Service to delegate you credential to.
  5. From the Credential drop down select the credential to delegate.
  6. From the Delegation Lifetime drop downs specify how long the CDS may delegate your credential for.
  7. From the Delegation Path Length drop select 1.
  8. From the Issued Credential Lifetime drop downs specify how long the credentials issued to third parties by the CDS should be valid for.
  9. From the Issued Credential Length drop select 0.
  10. From the Delegation Policy drop down select Group Delegation Policy.
  11. Click the Delegate button, this will launch the Delegate Credential Step 2 of 2 window which will allow you to specify your delegation policy.
  12. To give members of a Grid Grouper group the ability to access you delegated credential you must specify the URL of the Grid Grouper in the Grid Grouper URL text field and the system name of the group in the Group Name text field. You may also click the Browse Groups button which will bring up a browser that will allow you to browse to the group you want and will fill in the two fields for you.
  13. Click the Delegate Credential button to delegate your credential.

Delegate Credential

Group Delegation Policy
Last edited by
Stephen Langella (1178 days ago)
Adaptavist Theme Builder Powered by Atlassian Confluence