GridShib and PERMIS integration
Abstract
Purpose
The paper aims to describe the results of a recent GridShibPERMIS project whose purpose was to provide policy‐driven role‐based access control decision‐making to grid jobs, in which the user's attributes are provided by an external Shibboleth Identity Provider (IdP).
Design/methodology/approach
This was achieved by integrating the identity‐federation and attribute‐assignment functions of Shibboleth and the policy‐based enforcement functions of PERMIS with the Grid job management functions of Globus Toolkit v4.
Findings
Combining the three technologies proved to be relatively easy due to the Policy Information Point (PIP) and Policy Decision Point (PDP) Java interfaces recently introduced into Globus Toolkit v4.
Practical implications
However, a number of limitations in the current Grid‐Shib implementation were revealed, namely: the lack of support for pseudonymous access to grid resources; scalability problems because only one issuer scope domain is supported and because name mappings have to be provided for each grid user; and the inability to collect a user's attributes from multiple IdPs for use in authorisation decision‐making.
Originality/value
This paper provides an overview of and describes the benefits of the three technologies (GT4, Shibboleth and PERMIS), shows how they may be combined to good effect via GT4's java interfaces, describes the limitations of the current GridShib implementation and suggests possible solutions and additional research that are needed in the future in order to address the current shortcomings.
Keywords
Citation
Chadwick, D.W., Novikov, A. and Otenko, A. (2006), "GridShib and PERMIS integration", Campus-Wide Information Systems, Vol. 23 No. 4, pp. 297-308. https://doi.org/10.1108/10650740610704153
Publisher
:Emerald Group Publishing Limited
Copyright © 2006, Emerald Group Publishing Limited