1. Shared Identity
1.1. Goal: Log in to many sites with same credentials
1.2. Workflow
1.2.1. Visit any node
1.2.2. Provide credentials once for that node
1.2.3. Visit any other node
1.2.4. Provide same credentials, once for THAT node
1.3. Mechanism
1.3.1. Back-end identity base (e.g., LDAP)
2. Single Sign On
2.1. Goal: Log in to many sites with same credentials, only once for the entire cluster
2.2. Workflow
2.2.1. Visit any node
2.2.2. Provide credentials
2.2.3. Vist any other node
2.2.4. No credentials needed
2.3. Mechanism
2.3.1. Protocol to propagate identity assurances
2.3.2. Protocol to validate identity assurances
3. Agency
3.1. Goal: enable some other app to act on our behalf
3.2. Workflow
3.2.1. Visit agent node
3.2.2. log in
3.2.3. designate service node
3.2.4. log in
3.2.5. approve agency
3.2.6. agent node can now do stuff at service node, even when we're not logged in anywhere
3.3. Mechanism
3.3.1. Protocol to request agency token
3.3.1.1. Includes designating subset of capabilities
3.3.2. Extension to authentication, authorization to validate token and use
3.3.3. Extension to a&a UI to revoke agency