Fault tolerant and highly available entitlement server

Abstract

The current project is based, in part, on the use of Shibboleth to provide restricted access to resources via the web. These services and the incorporation of a separate Entitlement Server provide fine-grained access to protected resources. This project incorporates multiple Entitlement Servers to provide a robust authorization environment that can continue to operate in the event of server or network failures in the trusted environment. The design proposed in this project decentralizes the authorization process by running multiple entitlement server applications in the network. The project outlines a procedure of interaction between a service provider and the group of entitlement servers for performing the authorization of users. Multiple entitlement servers in the network help in achieving a fault tolerant and highly available authorization process. The authorization process can proceed when at least one entitlement server is present in the logical group. Each of the entitlement servers present in the group maintains enough information about the users to make detailed authorization decisions. An information synchronization methodology is utilized such that each of the entitlement servers has consistent data. The scalable architecture of the authorization process allows the addition of an additional entitlement server to the group on the fly. The design also considers the security risk factors so that any communication message between two entities is encrypted to avoid disclosure of the messages.