Extending the security assertion markup language to support delegation for Web services and grid services

Abstract

Users of Web and grid services often must temporarily delegate some or all of their rights to a software entity to perform actions on their behalf. The problem with the typical grid services approach (X. 509 proxy certificates) is that commercial Web services tooling fails to recognize these certificates or process them properly. The security assertion markup language (SAML) is a standardized XML-based framework for exchanging authentication, authorization and attribute information. SAML has broadening commercial support but lacks delegation capabilities. To address this shortcoming, we exploit SAML's inherent extensibility to create a delegation framework for Web and grid services that supports both direct and indirect delegation. We develop a set of verification rules for delegation tokens that rely on WS-Security X.509 signatures, but do not force any trust relationship between the delegatee and the target service. We have implemented the framework on two common Web service hosting environments: Java/Tomcat and .NET. By leveraging existing Web services standards, we make it easier for Grid practitioners to build and consume Web and grid services without resorting to grid-specific protocols.