Fine-Grained Authorization Services in Virtual Organizations

The last few years have experienced a steady growth in research institutions' interest in developing research projects that involve more than one insti­tution's computing resources - forming virtual organizations. The goal of any virtual organization is to provide member institutions with an interoperable, easy to use and secure research environment. Shibboleth was one of the pre­mier choices of infrastructure to be used to create collaborative inter-institu­tional research environments as it provides a coherent architecture to securely share computing resources across multiple institutions without the need for individualized user credentials for each shared resource. Some of the prob­lems that Shibboleth encountered in practice deal with its distributed authentication and authorization mechanisms and its user data accessability design. This work addresses these issues and provides a solution that allows for fine-grained authorization services in any virtual organization. We pro­pose an extension to the Shibboleth design by separating the definition, management, and usage of the user's virtual organization entitlements from the identity provider. This book is addressed to professionals in Informa­tionTechnology, researchers and students in Distributed Systems, Networking and Security.