A wonderful thing has been happening over the past year: many previously disparate and apparently incompatible threads (PKI, Grid Security Infrastructure, Shibboleth, SAML, etc.) have come together in a consistent "attribute-based access control" architecture, in which access control decisions can be made on the basis of various user attributes in addition to simple identity. Many people have contributed to making this happen, but Frank Siebenlist has been a major contributor on the architecture and standards.
If you want to learn more about this, one good starting point is a draft article that Von Welch, myself, and others have put together describing how this can work within the context of the TeraGrid cyberinfrastructure. See also a recent article by Bo Lang. It's all very exciting.