The Credential Delegation Service (CDS) allows a user/service (delegator) to delegate their credential to other user/services (delegatee). To delegate a credential the delegator must specify the following:
Delegation Service - The Service URL of the delegation service.
Credential - The credential to delegate.
Delegation Lifetime - The amount of time that the CDS will be allowed to issue credentials to third parties for.
Delegation Path Length - A path length specifies the length of a credential chain. For example a credential with a length of 2 means that the credential can be delegated to a second party and the second party could in turn delegate the credential to a third party at which point the third party can no longer delegate the credential. The Delegation Path Length specifies the path length of credential being delegated to the CDS. The credential being delegated to the CDS will be used for issuing credentials to third party, thus at minimum the delegation path length must be 1. A delegation path length of 1 will suffice for the majority of use cases.
Issued Credential Lifetime - The amount of time that credentials issued by the CDS to third parties will be valid for.
Issued Credential Path Length - A path length specifies the length of a credential chain. For example a credential with a length of 2 means that the credential can be delegated to a second party and the second party could in turn delegate the credential to a third party at which point the third party can no longer delegate the credential. The Issued Credential Path Length specifies the path length of the credentials issued to third parties. An Issued Credential Path Length of 0 indicates that the third party may not further delegate the user's credential.
Delegation Policy - The Delegation Policy specifies which parties are allowed to obtain a delegator's credential.
The CDS was designed to support multiple delegation policy types. In this guide we will provide instruction on how to delegate a credential with a Identity Delegation Policy as well as with a Group Delegation Policy.
Delegate a Credential (Identity Delegation Policy)
Delegating a credential with a Identity Delegation Policy enables the delegator to provide a list of identities or delegatees that may have access to their credential. The GAARDS UI provides a mechanism for delegating credentials, to delegate a credential with the GAARDS UI complete the following steps:
From the MyAccount menu select Delegate Credential, this will launch the Delegate Credential Step 1 of 2 window.
From the Delegation Service drop down select the Credential Delegation Service to delegate you credential to.
From the Credential drop down select the credential to delegate.
From the Delegation Lifetime drop downs specify how long the CDS may delegate your credential for.
From the Delegation Path Length drop select 1.
From the Issued Credential Lifetime drop downs specify how long the credentials issued to third parties by the CDS should be valid for.
From the Issued Credential Length drop select 0.
From the Delegation Policy drop down select Identity Delegation Policy.
Click the Delegate button, this will launch the Delegate Credential Step 2 of 2 window which will allow you to specify your delegation policy.
To give a party the ability to obtain a delegate credential enter the Grid Identity of the party in the Grid Identity text field and click the Add button. Repeat this step for each party you wish to delegate your credential to. All parties in which you have granted the ability to obtain your credential will be listed in the table above the Grid Identity text field.
Click the Delegate button to delegate your credential.
Delegate Credential
Identity Delegation Policy
Delegate a Credential (Group Delegation Policy)
Delegated a credential with a Group Delegation Policy enables the delegator to specify a Grid Grouper group such that the members of the group may have access to their credential. The GAARDS UI provides a mechanism for delegating credentials, to delegate a credential with the GAARDS UI complete the following steps:
From the MyAccount menu select Delegate Credential, this will launch the Delegate Credential Step 1 of 2 window.
From the Delegation Service drop down select the Credential Delegation Service to delegate you credential to.
From the Credential drop down select the credential to delegate.
From the Delegation Lifetime drop downs specify how long the CDS may delegate your credential for.
From the Delegation Path Length drop select 1.
From the Issued Credential Lifetime drop downs specify how long the credentials issued to third parties by the CDS should be valid for.
From the Issued Credential Length drop select 0.
From the Delegation Policy drop down select GroupDelegation Policy.
Click the Delegate button, this will launch the Delegate Credential Step 2 of 2 window which will allow you to specify your delegation policy.
To give members of a Grid Grouper group the ability to access you delegated credential you must specify the URL of the Grid Grouper in the Grid Grouper URL text field and the system name of the group in the Group Name text field. You may also click the Browse Groups button which will bring up a browser that will allow you to browse to the group you want and will fill in the two fields for you.
Click the Delegate Credential button to delegate your credential.
The Credential Delegation Service (CDS) allows a user/service (delegator) to delegate their credential to other user/services (delegatee). The GAARDS UI provides a mechanism for delegatees to get a credential delegated to them by a delegator. To obtain a delegated credential please complete the following steps:
From the MyAccount menu select Get Delegated Credential, this will launch the Get Delegated Credential window. At this point UI will go out and discover all the credentials that have been delegated to you by other parties.
From the table select the credential you wish to obtain and click the Obtain Credential, this will obtain the delegated credential and launch the proxy manager window with the delegated credential. The Proxy Manager window allows the management of grid proxies or grid credentials. button. This will obtain the requested credential and launch the
Click the Set Default button, you are now logged in as the party that delegated you their credential.
The Credential Delegation Service (CDS) allows a user/service (delegator) to delegate their credential to other user/services (delegatee). The CDS provides a mechanism for administrators to view and manage all the delegated credentials. In this guide we will provide documentation on managing delegated credentials.
Searching for Delegated Credentials
The GAARDS UI provides administrators a mechanism for monitoring and managing credentials that have been delegated through the CDS. Administrators can search for delegated credentials using the following search criteria:
Search Criteria
Description
Grid Identity
The Grid Identity of the user that the delegated credential belongs to.
Delegation Identifier
The unique identifier assigned to the delegated credential by the CDS.
Expiration Status
The expiration status of the delegated credential: (1) Valid or (2) Expired
Delegation Status
The status of the delegated credential:
Pending - the delegated credential has not been approved
Approved - the delegated credential is approved and active
Suspended - access to the delegated credential has been suspended.
To search for delegated credentials using the GAARDS UI, please complete the following steps:
From the top menu bar select Account Management, then select Delegation Management, then select Manage Delegated Credentials. This will bring up a window for managing delegated credentials.
From the Delegation Service drop down select the Credential Delegation Service you wish to manage your credentials on.
From the Credential drop down select your Grid credential.
Specify your desired search criteria.
Click the Search button.
When the search has completed the delegated credentials meeting the specified search criteria will be listed in the table below the search button.
Finding Delegated Credentials
Viewing a Delegated Credential
To view the details of an individual delegated credential, perform a search directed above, select the credential you wish to view and click the View button. This will launch a window containing the details for the delegate credential you selected. The window contains three tabs: (1) General Information, (2) Delegation Policy, (3) Certificate Chain, (4) Auditing. We discuss the information contained in each tab below.
General Information
The General Information tab contains attributes identifying the delegated credential. These attributes are listed in the table below:
Attribute
Description
Grid Identity
The identity of the party who owns the credential.
Delegation Identifier
A unique identifier assigned to the delegated credential by the CDS.
Initiated On
The date that the delegated credential was requested.
Approved On
The date that the delegated credential was approved.
Expires On
The date that the delegated credential expires.
Issued Credential Lifetime
The amount of time that credentials issued by the CDS to third parties will be valid for.
Issued Credential Path Length
A path length specifies the length of a credential chain. For example a credential with a length of 2 means that the credential can be delegated to a second party and the second party could in turn delegate the credential to a third party at which point the third party can no longer delegate the credential. The Issued Credential Path Length specifies the path length of the credentials issued to third parties. An Issued Credential Path Length of 0 indicates that the third party may not further delegate the user's credential.
Delegation Status
The status of the delegated credential: Pending, Approved, or Suspended.
The CDS allows administrators to suspend and re-instate access to delegated credentials. To update the status of a delegated credential, modify the status and click the Update Status button.
Delegation Policy
The Delegation Policy tab specifies which delegation policy was chosen and the details of that delegation policy. The delegation policy cannot be updated once the credential has been delegated. Viewing the delegation policy provides insight to administrators on who can access the delegated credential.
Certificate Chain
The Certificate Chain tab contains the certificate chain of the delegated credential. You can view an individual certificate in the chain by select the certificate and clicking the View Certificate button.
Auditing
For security purposes and to give administrators insight on a delegated credential, the CDS maintains a list of auditing information for each delegated credential. The following is a list of auditing information maintained for each delegated credential:
Audit Criteria
Description
Delegation Initiation
Documents when the delegation was initiated.
Delegation Approval
Documents when the delegation was approved.
Delegation Status Update
Documents when and by whom that status of a delegated credential was changed.
Credential Issued
Documents when and to who a delegated credential was issued.
Access Denied to Credential
Documents when access to a delegated credential was denied.
The GAARDS UI allows CDS administrators to search the auditing information for a delegated credential based the following search criteria:
Criteria
Description
Reporting Party
The identity of the party that performed or reported the action.
Audit Type
The type of auditing information, please consult the table above for different types.
Start Date
The start of a date/time range of when the even occurred.
End Date
The end of a date/time range of when the even occurred.
Message
Search the content of the Audit Message.
Using the GAARDS UI, administrators can search the auditing information by completing the following steps:
Select the Audit tab.
Enter the desired search criteria, please consult the table above. If no search criteria is specified all audit records for the user will be returned.
Click the "Search" button.
When the search has completed, the audit records meeting your search criteria will be displayed in the table below the Search button. To view the complete details of a specific audit record, select that record in the table and click the View button. This will launch a window containing the complete details of the audit record you selected.
Delegated Credential
Delegation Policy
Certificate Chain
Auditing
Audit Record
Removing a Delegated Credential
The CDS allows administrators to remove delegated credentials, to remove a delegated credential using the GAARDS UI complete the following steps:
From the top menu bar select Account Management, then select Delegation Management, then select Manage Delegated Credentials. This will bring up a window for managing delegated credentials.
From the Delegation Service drop down select the Credential Delegation Service you wish to manage your credentials on.
From the Credential drop down select your Grid credential.
Specify your desired search criteria.
Click the Search button, this will list the delegated credentials meeting you search criteria in the table below the search button.
Select the delegated credential you wish to remove.
Click the Delete button, this will remove the selected delegated credential.
Administration
