Contents I. Introduction
User management for large-scale projects or resources carries large administrative burdens on collaborating centres. The establishment of a user's identity, the maintenance of that identity and the allocation and revocation of privileges and licenses comprise a heavy workload that requires dedicated persons to be employed at institutions. If centres insist on maintaining credentials for any external users who access their systems, there will come a point where the administrative workload will become too great. In addition, the authenticity of these users is hard to establish if they are based at remote institutions. In the past ten years, there has been a paradigm shift towards the concept of federated identity and access management infrastructures, such as those implemented by the Shibboleth [1] implementation of the Security Assertion Markup Language (SAML). This allows a group of establishments such as higher education institutions to agree to form a federation of trusted sites who place trust in the identity assertions of the individual collaborating sites. From an end user perspective, this allows a user wishing to access a service/resource available through the federation to login using only their local credentials. Once authenticated, these credentials can subsequently be used to access other resources available through the federation without further authentication challenge/responses - known as Single Sign-On (SSO). These infrastructures work well when all the home institution needs to do is release an authentication statement about a user. Releasing extra information, in particular what privileges or licenses they hold on other systems is a more complicated scenario, made difficult by the fact that licenses are often held by external authorities (generally the resource host) and the management of user authorisation which may change on a day-to-day basis is not something that home institutions is rightly able to undertake.
