A federated authentication and authorization scheme for cross-domain Grid services based upon SAML is proposed. A trust relationship based on PKI technique is established among federated domains firstly. When a user logs into its local domain, the identity of the user can then be recognized by the federated domains. The privileges that a cross-domain user can have are administrated by the resource domain locally. Therefore, an authenticated cross-domain user can access the authorized Grid services provided by the resource domain. SAML statements are adopted to transport the authentication and authorization assertion among trusted domains. A session key is used to prove the owner of the SAML assertions and to encrypt the sensitive data. The overall security mechanism is implemented. Through experiment and analysis, it is shown that our scheme is secure, effective and efficient.

Due to computing grid's large scale, distributed anddynamic nature, the security issues around gridapplications are more pervasive than computer network ingeneral and thus call for more complicated solutions. Inorder to solve key problems such as security mechanismintegration in heterogeneous grid, identity authenticationand trust delegation, a cross-domain authentication andauthorization model based on role translation anddelegation is proposed. This model allows theestablishment of trust among heterogeneous domains viacertain protocols so that resource sharing across griddomains becomes possible. After a user logins to a localgrid domain, its role in the local domain is mapped to arole in resource domain by using RBAC based roletranslation. This removes the need for cross-domain userlogins while they are accessing resources across differentdomains, which results in much higher efficiency. The useof Security Assertion Markup Language (SAML) baseddelegation for transferring user privileges enablessubmitting operation by delegation assertion and thecross-domain federation is done automatically. This cangreatly reduce users' manual involvement.

An efficient hierarchical key assignment scheme for access control based on one-way hash function is proposed, which allows the user in a security class to derive the keys of its subordinating classes, so that the superior class can access the information encrypted and owned by its subordinating classes. This scheme is also flexible to change the hierarchical relationship among security classes, for example, it is not difficult to add new security classes to the hierarchy, or to delete security classes from the hierarchy dynamically. By analysis and comparison, it is shown that some features, such as efficiency, extensibility, and security, are possessed by this scheme.