Secure Federated Authentication and Authorisation to GRID Portal Applications using SAML and XACML

Internationally, the need for federated Identity & Access Management continues to grow, as it allows users to get Single Sign-On access to external resources (a.k.a. Service Providers) using their home account and some attributes that are being released securely by their home organization (a.k.a. Identity Providers). In other words, it solves the problem of service providers needing to create and maintain accounts for external users who they may not know. Current implementations seem to either rely on SAML, the Security Assertion Markup Language, or PKI, where the latter is mainly popular for Grid services. However, there are some trends towards convergence, for example, the recent release of the Globus toolkit is SAML and XACML aware, and GridShib is another project that uses PKI for authentication and SAML for passing attributes for authorisation. Still, these projects do not use the full potential of SAML and XACML, so this paper focuses on a scalable approach using distributed attribute authorities to access Grid services.