Administration
Grid User Management
Dorian: Administrators Guide | Developers Guide | Users Guide | caGrid: Documentation Guides
The Grid leverages the Public Key Infrastructure (PKI) for authentication. PKI is a set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital credentials. Under PKI a user's credentials consist of a public X.509 certificate and a private key. These credentials are generally contained in two encoded files, one for the certificate and one for the private key. It is the responsibility of the party owning the credential to keep their private key a secret.
Dorian abstracts the complexities of PKI from users, allowing users that have accounts with an Identity Provider trusted by Dorian to use their existing credentials to obtain PKI credentials. For example if Dorian trusts the Ohio State University as an Identity Provider, a user from Ohio State University can use their username and password to obtain a user certificate and private key, which they can use to authenticate with web/grid services. In this manner Dorian is a federated identity management solution in that it is able to federate exisiting identities into a web/grid services architecture.
The Security Assertion Markup Language (SAML)
is an XML standard for exchanging authentication and authorization data between security domains. Dorian leverages SAML to allow a user from a trusted identity provider to use any existing authentication method to obtain PKI credentials from Dorian such that they may authenticate in web/grid services environment. SAML enables Dorian to federate any existing identity management solution into a web/grid services environment.
|
The figure to the right illustrates an example usage scenario for Dorian. To obtain PKI credentials, users authenticate with their organization using the organization's conventional mechanism. Upon successfully authenticating the user, the local organization issues a digitally signed SAML assertion, vouching that the user has authenticated. The user then sends this SAML assertion to Dorian in exchange for PKI credentials. Dorian will only issue grid credentials to users that supply a SAML assertion from a Trusted Identity Provider. The figure to the right illustrates an example where a Georgetown user wishes to invoke a grid service that requires PKI credentials. To accomplish this they first supply the application with their username and password to the Georgetown Authentication Service as they would normally do. The application client authenticates the Georgetown user with the Georgetown Authentication Service, which issues and returns a signed SAML assertion which it subsequently passes to Dorian in exchange for PKI credentials. These credentials can then be used to invoke the web/grid services. |
|
To facilitate smaller groups or organizations without an existing identity provider, Dorian also has its own internal identity provider. The Dorian Identity Provider allows users to authenticate to Dorian directly, thereby enabling them to obtain PKI credentials to authenticate to web/grid services. The figure to the right illustrates a scenario of a client using the Dorian Identity Provider to authenticate to the Grid. In this scenario, the unaffiliated User wishes to invoke a web/grid service. Given that this user has registered and been approved for an account with the Dorian Identity Provider, she is able to authenticate with the Dorian Identity Provider by supplying their username and password. Upon successfully authenticating the user, the Dorian Identity Provider issues a SAML Assertion similiar to other organizational identity providers. The SAML Assertion issued by the Dorian Identity Provider can be presented to Dorian to obtain PKI credentials which can be used for authenticating with web/grid services.