Galois Grid 2.0 Account Linking Service (ALS)

Overview

Scientists in the grid community face many hurdles to collaboration within and between institutions. One of these is the problem of identity management: the prevalence of many forms of identity and authentication make it difficult to collaborate due to the technical and administrative overhead required to verify and manage such identities. Identity management is challenging because different organizations have different notions of identity, but without a canonical user identity, services that users need to access must make policy choices about which identities are acceptable. Galois, Inc. has worked with the Open Science Grid (OSG) and grid community members to develop technology called the Account Linking Service (ALS) to simplify grid identity management for web applications. The ALS is an extension to a popular open-source web single-sign-on application, the Central Authentication Service (CAS).

Status: Available for Deployment

Features

Account Linking

• Problem: Users often have many credentials, which is error-prone and cumbersome.
• Problem: Credentials may be issued by a local administrator or a different institution entirely.

Solution: The ALS lets users "link" multiple credentials together, allowing the user to pick the most convenient credentials to use to enable access to all services.

Users have to manage multiple credentials and remember which to use to access a particular service. This leads to security vulnerabilities since users choose simplistic passwords, reuse passwords, or take other shortcuts. To make it easier for users to authenticate, we extended CAS with "account linking" support. A user can link one credential to another so that no matter which credential they provide, the appropriate identity information is delivered to the service that the user is accessing.

Attribute Translation

• Problem: Users' credentials are associated with user attributes like their group memberships, but different types of credentials represent those attributes in very different ways, making them difficult to unify.

Solution: The ALS decouples authorization from authentication by providing mechanisms for translating attributes into a common vocabulary.

Account linking is an important piece of the puzzle, but it doesn't address the issue of expressing and enforcing access control policy when users have multiple credentials. Credentials often come with attributes about the user, but since users may have credentials issued by different institutions the attributes will be expressed in different ways, thus making it difficult to write a single access control policy. We extended CAS with mechanisms for filtering and manipulating user attributes so that administrators can handle user attributes from different sources with a single access control policy.

Technology: Open Source, Standards-Based

• CAS is Java-based and requires a Java servlet container.
• Web services in need of attributes must use a CAS client for authentication.
• CAS clients for many languages and programming environments are available. Custom-built applications may use a CAS client library or plugin according to the language or framework in use.
• Apache-protected resources may use an "htaccess" configuration to request CAS authentication with specific user attributes.
• CAS uses an HTTP-redirect-based protocol to send a user back and forth between the CAS service and protected web services.

Releases

Documents

Contact

In order to be successful, we need help from the stakeholders in the technology that we are working with. We would like your feedback on our work!

Options for getting in contact with us include: