The goal of the Authentication Service is to allow existing identity providers to be seamlessly integrated into a production Grid environment such that users that are registered with an identity provider may use their existing credentials to access resources on the Grid. The Authentication Service provides a uniform web service interface providing applications with a single approach for authenticating users across a federation. In other words if each organization provides an Authentication Service for their Identity Provider, then applications can be developed to authenticate users using the Authentication Service interface, allowing users from any identity provider to authenticate with any application.
When a user authenticates with the Authentication Service, the Authentication Service returns a SAML Assertion. The Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions). The SAML Assertion provides the application or consumer of the assertion the following:
- Proof that the user successfully authenticated.
- The method that the user authenticated with.
- Attributes containing information about the user.
Fundamentally the SAML Assertion can be understood as proof to its consumer that the user has successfully authenticated.
An enterprise Grid is essentially a collection of community provided resources exposed over a network in the form of web/Grid services. Like the web individual interactions between web and Grid services are stateless and each require a separate authentication. Most secure Grid services require users and/or other services to authenticate with them using Grid credentials, formally referred to as X.509 certificates and/or X.509 certificates. Grid credentials are cryptographic credentials that must be digitally signed by a trusted certificate authority. Most existing identity providers do not have the capabilities to issue grid credentials. To provide this capability and for many other reasons outside the scope of this document, a grid service named Dorian was developed. Dorian issues grid credentials to users that provide it a SAML assertion that is signed by an identity provider that Dorian trusts. Each grid credential issued by Dorian is bound to a local account existing in one of the identity providers Dorian trusts. Together the Authentication Service and Dorian provide a solution for federating identity in a grid environment, allowing users to use their existing credentials to access secure grid resources.