Using SAML and XACML for Complex Authorisation Scenarios in Dynamic Resource Provisioning

This paper presents ongoing research and current results on the development of flexible access control infrastructures for complex resource provisioning in grid-based collaborative applications and on-demand network services provisioning. The paper identifies basic resource provisioning models and specifies major requirements to authorisation (AuthZ) service infrastructure to support these models and focus on two main issues - AuthZ session support and policy expression for complex resource models. For the practical implementation, we investigate the use of two popular standards SAML and XACML for complex authorisation scenarios in dynamic resource provisioning across multiple administrative and security domains. The paper describes a proposed XML based AuthZ ticket format that is capable of supporting extended AuthZ session context. Additionally, the paper discusses what specific functionality should be added to existing grid-oriented authorization frameworks to handle dynamic domain-related security context including AuthZ session support. The paper is based on experiences gained from major grid based and grid oriented projects such as EGEE, NextGrid, Phosphorus and GigaPort research on network