Using SAML and XACML for Complex Authorisation Scenarios in Dynamic Resource Provisioning

This paper presents ongoing research and current results on the development of flexible access control infrastructures for complex resource provisioning in grid-based collaborative applications and on-demand network services provisioning. The paper identifies basic resource provisioning models and specifies major requirements to authorisation (AuthZ) service infrastructure to support these models and focus on two main issues - AuthZ session support and policy expression for complex resource models. For the practical implementation, we investigate the use of two popular standards SAML and XACML for complex authorisation scenarios in dynamic resource provisioning across multiple administrative and security domains. The paper describes a proposed XML based AuthZ ticket format that is capable of supporting extended AuthZ session context. Additionally, the paper discusses what specific functionality should be added to existing grid-oriented authorization frameworks to handle dynamic domain-related security context including AuthZ session support. The paper is based on experiences gained from major grid based and grid oriented projects such as EGEE, NextGrid, Phosphorus and GigaPort research on network

[1]  Leon Gommans,et al.  AAA Authorization Framework , 2000, RFC.

[2]  Leon Gommans,et al.  Applications drive secure lightpath creation across heterogeneous domains , 2006, IEEE Communications Magazine.

[3]  Giovanni Della-Libera,et al.  Web Services Trust Language (WS-Trust) , 2002 .

[4]  Matthew MacDonald,et al.  Web Services Architecture , 2004 .

[5]  David M. Booth,et al.  Web Services Architecture , 2004 .

[6]  Leon Gommans,et al.  Token based networking: Experiment NL-101 , 2006, Future Gener. Comput. Syst..

[7]  Leon Gommans,et al.  Policy Based Access Control in Dynamic Grid-based Collaborative Environment , 2006, International Symposium on Collaborative Technologies and Systems (CTS'06).

[8]  Leon Gommans,et al.  Domain Based Access Control Model for Distributed Collaborative Applications , 2006, 2006 Second IEEE International Conference on e-Science and Grid Computing (e-Science'06).

[9]  Leon Gommans,et al.  Filling the GAP with GAAA-P, GAP analyses of Authorization technologies and solutions for Optical Light Path Provisioning , 2006 .

[10]  Leon Gommans,et al.  Generic AAA Architecture , 2000, RFC.