A federated authentication and authorization scheme for cross-domain Grid services based upon SAML is proposed. A trust relationship based on PKI technique is established among federated domains firstly. When a user logs into its local domain, the identity of the user can then be recognized by the federated domains. The privileges that a cross-domain user can have are administrated by the resource domain locally. Therefore, an authenticated cross-domain user can access the authorized Grid services provided by the resource domain. SAML statements are adopted to transport the authentication and authorization assertion among trusted domains. A session key is used to prove the owner of the SAML assertions and to encrypt the sensitive data. The overall security mechanism is implemented. Through experiment and analysis, it is shown that our scheme is secure, effective and efficient.