Virtual organisations in computer grids and identity management

Abstract

This paper provides insight into one of the key concepts of Open Grid Services Architecture (OGSA) Virtual Organisations (VO) and analyses problems related to Identity management in VOs and their possible solution based on using WS-Federation and related WS-Security standards. This paper provides basic information about OGSA, OGSA Security Architecture and analyses VO security services. A detailed description is provided for WS-Federation Federated Identity Model and operation of basic services such as Security Token Service or Identity Provider, Attribute and Pseudonym services for typical usage scenarios.

Introduction

Computer Grids [1, 2] emerged from the research area where the complexity of problems and need to share special unique resources required virtualisation of the collaborative environment, but currently the Grid concept can also be used for typical business tasks where the large-scale dynamic resource sharing is a key problem. Grid technologies allow existing distributed computing to build dynamic cross-organisational applications and provide a standard base for new concepts in distributed utility computing and autonomic computing promoted by big computer vendors like IBM, HP and Sun [3].

All components of the Grid architecture are virtualised which allows creation of multiple virtual task oriented Grid Service instances on the same physical resources. Task oriented virtualisation of resources and services uses the concept of Virtual Organisation (VO). A VO is defined as a set of individuals and institutions together with the distributed resources that belong to them [4].

A VO is created to run specific (groups of) tasks and may include multiple specially created Grid Services. A VO is created on the base of the business agreement between participating organisations and individuals each of which contribute their specific resources (computers, services, people, etc.). The agreement defines all resources and services available to VO members and conditions on which these resources and services are provided and used. A VO, like a real organisation, may contain all basic services required to run a typical organisation but these services ‘physically’ and administratively may be run by member organisations on behalf of the VO. The examples of VOs are: members of a large international long-term collaboration in high energy physics; or a group of organisations participating in severe weather simulation and prediction; a virtual laboratory involving a group of specialists using remotely located unique analytical equipment (e.g. electronic microscope, or mass-spectrometer) for analysis of some samples.

The Open Grid Services Architecture (OGSA) developed by a joint effort of the research community and industry in the framework of the Global Grid Forum (GGF) is intended to create a standard base for building scalable VOs and virtualising resource management [5, 6]. Within OGSA, everything is presented as a Grid Service that conforms to a set of conventions for such purposes as lifetime management, discovery of characteristics, notification and described as standard services in WSDL (Web Services Description Language). The OGSA Security Architecture incorporates the Web Services Security architecture (WS-Security) and defines specific profiles for supporting native Grid types of credentials, protocols and services.

Grid applications require specific functionality for VO management during their whole life cycle. OGSA defines a set of security services for secure VO management and integration with other OGSA components. VO membership management functionality extends beyond typical enterprise identity management concepts and requires multi-institutional federation of people, resources and services.

WS-Federation, as part of WS-Security, can provide a native platform for VO identity management. WS-Federation introduces well-defined mechanisms and procedures for federated identity management that can be used to enable identity, attribute, authentication, and authorization federation across a VO that may include multiple administrative and trust domains. WS-Federation defines such services as identity provider or security token services, attribute and pseudonym providers that can be incorporated as VO services related to VO membership management.

This paper is organised as follows. Section 2 provides general information about OGSA and more detailed information about the OGSA Security Architecture. This provides a specific Grid-related context for describing the VO concept and VO Security services in Section 3, especially those related to VO membership management. Section 4 provides extended information about WS-Federation Identity Management framework with some examples in the context of VO services interaction and membership management. Section 5 provides a summary and conclusion.