Using SAML and XACML for Complex Resource Provisioning in Grid based Applications Yuri Demchenko, Leon Gommans, Cees de Laat System and Network Engineering Group, University of Amsterdam {demch, lgommans, delaat}@science.uva.nl Abstract This paper presents ongoing research and current results on the development of flexible access control infrastructure for complex resource provisioning (CRP) in Grid-based applications. The paper proposes a general CRP model and specifies major requirements to the Authorisation (AuthZ) service infrastructure to support multidomain CRP, focusing on two main issues – policy expression for complex resource models and AuthZ session support. The paper provides suggestions about using XACML and its profiles to describe access control policies to complex resources and briefly describes proposed XML based AuthZ ticket format to support extended AuthZ session context. Additionally, the paper discusses what specific functionality can be added to the gLite Java Authorisation Framework (gJAF), to handle dynamic security context including AuthZ session support. The paper is based on experiences gained from major Grid based and Grid oriented projects such as EGEE, Phosphorus and GigaPort Research on Network. 1. Introduction Modern e-Science applications are based on Grid- enabled sharing of experimental equipment, computing resources and often require dedicated high speed network infrastructure to enable effective collaboration and distributed computation. Grid and Web Services [1] allow for resources and user groups virtualisation in a form of the Virtual Laboratories (VL) or Virtual Organisations (VO). Such a virtualisation of resources and users can be created on-demand dynamically, based on experiment or service agreement, and terminated once the experiment has been completed or service/resource delivered or consumed. When considering a general Complex Resource Provisioning (CRP) model, we investigated different use cases such as Distributed Grid Computing [2], Virtual Laboratories organisation in collaborative e- Science applications [3], and on-demand Optical LightPath Provisioning (OLPP) [4]. Important component of the general CRP infrastructure is AuthZ service infrastructure. The paper explores the possibilities and presents our experiences with such technologies as XACML and SAML that provide rich functionality for the CRP policy expression and dynamic security context management. The presented research and proposed solutions are specifically oriented for using with the popular Grid middleware being developed in the framework of large international projects such as EGEE 1 and Globus Alliance 2 . The paper is organized as follows. Section 2 describes general CRP model that separates resource reservation, resource allocation, and resource access or consumption stages. The section summarises common requirements to the AuthZ service infrastructure to support different provisioning and AuthZ scenarios in distributed dynamic environment Section 3 discuses what functionality is available in the XACML specification suite for expressing access control policies for complex distributed resources with different logical organisations (multiple, multiple constrained, and hierarchical). Section 4 describes how the resource domain related dynamic security context and AuthZ session management can be added to the gLite Java AuthZ Framework (gJAF) [5] which is the component of the EGEE gLite middleware. Section 5 describes briefly the AuthZ ticket format that allows for the extended AuthZ session security context management during the resource provisioning and access stages. 1 http://www.eu-egee.org/ 2 http://www.globus.org/