Fine-grained authorization in the Great Plains network virtual organization

Abstract

The last few years have experienced a steady growth in research institutions showing interest in developing research projects that involve more than one institution's computing resources forming so called virtual organizations. The goal of any virtual organization is to provide member institutions with a safe and robust collaborative research environment. Shibboleth was one of the choices of infrastructure to be used to create a collaborative inter-institutional research environment. In the standard Shibboleth architecture, the identity provider (the user's home institution) is in charge of authenticating the user and also of storing all the entitlements that the service provider (the shared resource) is basing their access control decisions. Business and user privacy policies make it difficult to deal with the storage and management of all the entitlements in the identity provider. This thesis addresses some of the issues that have slowed the adoption of Shibboleth in deploying fully collaborative research environments. To allow for refined authorization at the virtual organization level, there is a need to define and manage virtual organization entitlements independently of any institution or participating company. The identity provider, the service provider and the entitlements service jointly provide for creating a secure and robust collaboration environment for use by virtual organizations.