Subject Re: entity categories
From Scott Koranda <skoranda@xxxxxxxxx>
Date Tue, 25 Jun 2013 20:04:21 -0500

> >(To work around these issues as is, I'd probably just prepopulate these
> >values into a form and require the user to fix them up as needed.)
> I think that's a bad idea, leading to essentially carte blanche
> impersonation of users in many applications. As I've said before, I would
> never intentionally allow self-update of name fields in a federated
> application that displays the fields as the primary means of attribution
> or person selection.

I won't speak for Benn, but my VO perspective is that we will
not display the form and prepopulate the values at the
application level.

Rather the plan is to take the values asserted by the IdP
during an enrollment flow that includes authentication against
an IdP, pre-populate a form, let the user amend and edit as
necessary (and add other information not asserted by the IdP),
and create an enrollment petition for joining the VO or the VO

Then after VO specific vetting, processing, and approval of
the petition use the stored values now linked to the asserted
ePPN (or other appropriate identifier) as data to be served by
an attribute authority (AA). The application(s) then will have
access to that data by querying the AA.


Scott Koranda for LIGO