Managing authentication and authorization in distributed science gateway middleware

摘要

Establishing users' identities and determining their permissions before they access research infrastructure resources are key features of science gateways. With many science gateways now relying on general purpose gateway platform services, the challenges of managing identity-derived features have expanded to include network-based authentication and authorization scenarios that connect science gateway tenants, science gateway platform middleware, and third party identity provider services, including campus identity management systems. This paper examines both architectural and implementation considerations for integrating these services. We provide a summary case study that further shows how end-to-end authentication and authorization can be provided between gateways, campus authentication systems, science gateway middleware, and campus computing resources. We conclude with observations on lifecycle management of third party components in science gateway platform services, which is an important consideration for both selection of new technologies and transitioning from older systems.