Strategies for handling cross-platform user authentication and authorization

Question

I'm interested in what strategies can be used for handling user authentication and authorization in a cross-platform distributed system. I would like to be able to mark actions in the system as belonging to a certain user and also to only allow certain users to do certain actions.

Background: The system is currently used under Windows only, where actions initiated by a user is currently only tagged as coming from the particular machine of the user. An action basically involves using the cpu for doing some calculations and returning the result.

There is currently no authorization whatsoever being done and no authentication of users (or between computers). The system is running as a service with low privileges (using the NETWORK SERVICE account). Data is not sensitive and all users on the local network are allowed to use the system to their hearts content.

The system can be deployed in both homogeneous Windows domain setups as well as workgroups without a domain controller or with a mix of a domain together with a bunch of worker computers not belonging to the domain.

Problem

In order to add functionality to the system, say for instance collecting usage statistics per user or displaying who is making use of a computer it is necessary to keep track of individual users. In addition to this, if certain actions should only be allowed to be performed by certain users (for instance changing some settings for the system), some form of authorization is also required.

I have a good understanding of the Windows way of doing this and adding this type of functionality in a homogeneous Windows domain setup would be straightforward using the built-in authentication and authorization functionality in Windows. This also eliminates the need to assign special accounts only valid for this particular system to the system - once the user has logged in normally all authentication and authorization can be done without requiring any extra user interaction.

But what if the system should be able to run on Mac OSX? Or Linux? What if it is supposed to run in a mixed environment with some users in a Windows domain, others on OSX and some worker machines running Linux? (The actual system can be ported to all of these systems and handles cross-platform communication and so on). I have limited knowledge of the way authentication and authorization is handled on these platforms and no knowledge of how this can be achieved when interacting between platforms.

Are there any good strategies to use for cross-platform user authentication and authorization in a distributed system like this? Note the dual use of "cross-platform" here - both as in being able to compile the program for different platforms and as in being able to interact between platforms.

I've tagged the question as C++, since this is the language the system is written in, but I am willing to accept anything that can be interacted with using C++. Any ideas (including wild architectural changes) are welcome!

Update:

An example of what would be interesting to be able to achieve:

User A is logged in to machine 1, which is a Windows machine.

User A opens the administrative interface for the system, selects machine 2 (a Linux system) and adjusts a setting. The system verifies that user A in fact has sufficient privileges to be allowed to do this.

Since A already verified his identity when he/she logged in, it would be desirable to allow him/her to change this setting without having to provide additional credentials.

Answer 1

You chould use claims based authentication with SAML tokens, which work cross platform.

On the windows side there is a library for this: Windows Identity Foundation.

See: http://msdn.microsoft.com/en-us/security/aa570351