Delegation service

The delegation service is a way to get credentials into another service such that the latter service can act on a user's behalf. We've planned to have a delegation service since the start of the SSO activity.

The problem is this: given a client that holds a certificate and private key for a user, the client can authenticate to a service in the user's name but that service cannot immediately authenticate as the user to a subordinate service. Therefore, for example, a secured DAL service cannot deliver results to a secured VOSpace without some help.

To fix this, the client has to delegate credentials to the first service. That means that the client has to sign a proxy certificate matching some private key that the service holds. This mechanism needs to be standardized. It's easiest to frame that standard in terms of a delegation service that runs alongside the service needing the delegated credentials.

In outline, the delegation service generates a key-pair, passes the public key back to the client as a certificate-signing request and accepts the signed certificate from the client. It then makes the certificate and private key available to other, local services via a secure back-channel.

This form of delegation by impersonation is standard in Grid computing.

Details of the delegation service

• InitialProposalForRESTfulDelegationService

-- GuyRixon - 05 Mar 2007