[jsdl-wg] Discussion regarding an implementation of JSDL

[Mariusz Mamoński]

Hi Arnie,

On Mon, Jan 19, 2009 at 2:53 PM, Arnie Miles <adm35 at georgetown.edu> wrote:
> Thank you Piotr,
>
> A couple of questions embedded;
>>
>> - SMOA Core has modules for various authentication mechanisms and
>> authorization policies. It has an ability to accept SAML assertions as
>> an authentication mechanism. Besides, you may currently use plain
>> HTTP, SSL (with client authentication), GSI or WS-Security Username.
>>
>
> Do you have any installations that use SAML? What is creating the assertions
> in these installations?
>
some time ago we have successfully realized following scenario: the
client authenticating to SMOA Computing
using SAML bearer assertion. The assertion was issued by the other
entity - Liberty ID-WSF Single Sign On Service (acting as the Security
Token Service - STS). The client authenticated to the STS using simply
username and password. We are working on supporting any mechanism that
can be expressed using SASL message pattern (Liberty Authentication
Service and Discovery Service).

>> - DRMAA interface to job schedulers (we mostly use it with SGE and
>> LSF). Remote users are mapped to local uids.
>>
>
> Is this mapping of users to local uids done "on the fly" or in advance? What
> mechanisms are you using for tracking accounting statistics and enforcing
> policies?
there are many options:
- while not using any authentication mechanism each user can be mapped
to one fixed local uid or to the user specified in JSDL document.
- while using some transport/message level security mechanism (SSL,
GSI, SAML, Username Token) the local user is determined either
statically (using local mapfile) or dynamically (by issuing call to
external Grid Authorization Service) based on provided security
context (X.509 DN, SAML Subject name)
- all information about jobs (JSDL, start/finish time, resources usage
information) are stored into database.
>
>
> Thanks,
> Arnie
>


Cheers,
-- 
Mariusz