Hi Arnie, On Mon, Jan 19, 2009 at 2:53 PM, Arnie Miles <adm35@georgetown.edu> wrote:
Thank you Piotr,
A couple of questions embedded;
- SMOA Core has modules for various authentication mechanisms and authorization policies. It has an ability to accept SAML assertions as an authentication mechanism. Besides, you may currently use plain HTTP, SSL (with client authentication), GSI or WS-Security Username.
Do you have any installations that use SAML? What is creating the assertions in these installations?
- DRMAA interface to job schedulers (we mostly use it with SGE and LSF). Remote users are mapped to local uids.
Is this mapping of users to local uids done "on the fly" or in advance? What mechanisms are you using for tracking accounting statistics and enforcing policies?
some time ago we have successfully realized following scenario: the client authenticating to SMOA Computing using SAML bearer assertion. The assertion was issued by the other entity - Liberty ID-WSF Single Sign On Service (acting as the Security Token Service - STS). The client authenticated to the STS using simply username and password. We are working on supporting any mechanism that can be expressed using SASL message pattern (Liberty Authentication Service and Discovery Service). there are many options: - while not using any authentication mechanism each user can be mapped to one fixed local uid or to the user specified in JSDL document. - while using some transport/message level security mechanism (SSL, GSI, SAML, Username Token) the local user is determined either statically (using local mapfile) or dynamically (by issuing call to external Grid Authorization Service) based on provided security context (X.509 DN, SAML Subject name) - all information about jobs (JSDL, start/finish time, resources usage information) are stored into database.
Thanks, Arnie
Cheers, -- Mariusz