This afternoon’s session on “Middleware for advanced users” had three very interesting talks (https://tnc2011.terena.org/core/session/12).
The session was aimed at exploring the status of middleware currently in use or being developed to support the needs of communities wishing to run federated advanced applications, i.e. not just simple web single sign-on.
Firstly, Sam Hartman gave a general presentation on project Moonshot his stated aim being to make federated authentication the norm, not just a special case. The developers have made impressive progress since last year’s TNC and are able to demonstrate federated authentication of many different applications, many of which needed little modification. They are also making good progress on the IETF standards related to this work.
David Groep then gave a very nice overview of the technology used in federated authentication and authorisation in the Grids today. The production workload supported on EGI today is close to a million jobs per day running at more than 300 sites in 58 countries on behalf of nearly 200 different user communities (VOs). The AAI model was described in detail and consists not only of technology components but the trust and policy issues enabling sites from many different management domains to accept the security tokens and work together. “Delegation” is an important requirement for Grids, namely the ability for Grid services to be able to act on behalf of the user at times when the user is disconnected. The AAI developed for Grids provides this important functionality.
Daniel Kouril then tied the two previous talks together by describing recent work to apply Moonshot to the MyProxy service used by many Grids today. This interesting development allows a Grid user to authenticate using Moonshot credentials and then either get access to X.509 Grid credentials from MyProxy or even to authenticate with the Grid services directly.
Much of the discussion after the talks related to the well established requirement for users or services to be able to aggregate attributes from multiple sources of authority. Users today need identity attributes from their home institute but also authorisation related attributes issued by their community or VO. Much of the technology required to do this aggregation is now in place but how to do this in a trust-worthy way and how to tell which attributes come from which authority seems to be work still needing to be done. I am sure that many of these issues will be discussed at the BOF this week on Thursday afternoon – “Proposal for a global trust & identity system for education & research”. See https://tnc2011.terena.org/core/event/19