Subject Re: VO challenges - article
From "Basney, Jim" <jbasney@xxxxxxxxxxxx>
Date Thu, 22 Oct 2015 09:52:58 +0000

I agree on the need for a VO attribute service but that does not eliminate
the need for at minimum a non-reassigned persistent identifier attribute
to be released by the IdP (i.e., the "minimal subset of the R&S attribute
bundle"). We can't say that "attribute release is no longer the problem"
or "IdPs don't need to change" until IdPs will release at least this
minimal attribute (bundle) for VO users so the VO managers have a
user identifier to which VO attributes can be attached via a VO attribute


On 10/22/15, 11:36 AM, David Chadwick wrote:
>Hi Heather
>I have read your wiki and thanks for putting it together. However, I
>think you miss a fundamental point in your article, unless I have
>misread it. You say that attribute release is a fundamental requirement,
>but I don't see it quite that way. I dont think that IdPs will ever
>release the right set of attributes for VOs. Why? Because they are
>unable to. They dont know the right roles to assign to the various VO
>participants in the first place. Only the VO managers know this. And
>IdPs wont let VO managers update user attributes in their database. So
>if IdPs dont know which attributes users should be assigned, they can
>never release them, even if they were willing to.
>For this reason I think we need a VO service that will allow the VO
>managers themselves to add assign the right roles to the VO users, and
>that RPs are given the right tools to seamlessly integrate the
>attributes/roles from the VO service with the authentication and limited
>attribute assertions from the IdP. In this way IdPs dont need to change.
>Attribute release is no longer the problem. Instead VO attribute
>assignment and aggregation replaces it.
>I believe that this is what Comanage and our VO work in Openstack are
>both doing.
>On 21/10/2015 23:53, Heather Flanagan wrote:
>> Hello all,
>> I've drafted up a short wiki page on the topic of challenges in the VO
>> space. Basically, it's an expansion on my presentation at the REFEDS
>> meeting earlier this month at Internet2's TechX.
>> You can find the write up here:
>> Feedback is of course encouraged and welcomed!
>> -Heather