CONCURRENCY AND COMPUTATION: PRACTICE AND EXPERIENCE Concurrency Computat.: Pract. Exper. 2009; 21:509–532 Published online 22 July 2008 inWiley InterScience (www.interscience.wiley.com). DOI: 10.1002/cpe.1350 Cross-domain authorization for federated virtual organizations using the myVocs collaboration environment Jill Gemmill 1, 2, *, † , John-Paul Robinson 3 , Tom Scavo 4 and Purushotham Bangalore 5 1 Clemson University, Cyberinfrastructure Technology Integration, SC, U.S.A. 2 Clemson University, School of Computing, SC, U.S.A. 3 Information Technology, University of Alabama at Birmingham, Birmingham, AL, U.S.A. 4 National Center for Supercomputing Applications, University of Illinois at Champaign-Urbana, IL, U.S.A. 5 Department of Computer and Information Sciences, University of Alabama at Birmingham, Birmingham, AL, U.S.A. SUMMARY This paper describes our experiences building and working with the reference implementation of myVocs (my Virtual Organization Collaboration System). myVocs provides a flexible environment for exploring new approaches to security, application development, and access control built from Internet services without a central identity repository. The myVocs framework enables virtual organization (VO) self-management across unrelated security domains for multiple, unrelated VOs. By leveraging the emerging distributed identity management infrastructure. myVocs provides an accessible, secure collaborative environment using standards for federated identity management and open-source software developed through the National Science Foundation Middleware Initiative. The Shibboleth software, an early implementation of the Organization for the Advancement of Structured Information Standards Security Assertion Markup Language standard for browser single sign-on, provides the middleware needed to assert identity and attributes across domains so that access control decisions can be determined at each resource based on local policy. The eduPerson object class for lightweight directory access protocol (LDAP) provides standardized naming, format, and semantics for a global identifier. We have found that a Shibboleth * Correspondence to: Jill Gemmill, Clemson University, 340 Computer Court, Anderson, SC, U.S.A. † E-mail: gemmill@clemson.edu Contract/grant sponsor: NMI Enabled Open Source Collaboration Tools for Virtual Organizations; contract/grant number: NSF ANI-0330543 Contract/grant sponsor: Advanced Network Infrastructure for Health & Disaster Management; contract/grant number: N01- LM-3-3513 Contract/grant sponsor: NSF National Middleware Initiative; contract/grant numbers: 0438424, 0438385 Copyright 2008 John Wiley & Sons, Ltd.