Refeds


Subject Re: VO challenges - article
From David Chadwick <d.w.chadwick@xxxxxxxxxx>
Date Thu, 22 Oct 2015 10:56:21 +0100

But this is a requirement of the SAML persistent ID is it not? So if the
implementation is working correctly, the IdP should not have anything to
do to ensure this.

David

On 22/10/2015 10:52, Basney, Jim wrote:
> I agree on the need for a VO attribute service but that does not eliminate
> the need for at minimum a non-reassigned persistent identifier attribute
> to be released by the IdP (i.e., the "minimal subset of the R&S attribute
> bundle"). We can't say that "attribute release is no longer the problem"
> or "IdPs don't need to change" until IdPs will release at least this
> minimal attribute (bundle) for VO users so the VO managers have a
> user identifier to which VO attributes can be attached via a VO attribute
> service.
> 
> -Jim
> 
> On 10/22/15, 11:36 AM, David Chadwick wrote:
>> Hi Heather
>>
>> I have read your wiki and thanks for putting it together. However, I
>> think you miss a fundamental point in your article, unless I have
>> misread it. You say that attribute release is a fundamental requirement,
>> but I don't see it quite that way. I dont think that IdPs will ever
>> release the right set of attributes for VOs. Why? Because they are
>> unable to. They dont know the right roles to assign to the various VO
>> participants in the first place. Only the VO managers know this. And
>> IdPs wont let VO managers update user attributes in their database. So
>> if IdPs dont know which attributes users should be assigned, they can
>> never release them, even if they were willing to.
>>
>> For this reason I think we need a VO service that will allow the VO
>> managers themselves to add assign the right roles to the VO users, and
>> that RPs are given the right tools to seamlessly integrate the
>> attributes/roles from the VO service with the authentication and limited
>> attribute assertions from the IdP. In this way IdPs dont need to change.
>> Attribute release is no longer the problem. Instead VO attribute
>> assignment and aggregation replaces it.
>>
>> I believe that this is what Comanage and our VO work in Openstack are
>> both doing.
>>
>> regards
>>
>> David
>>
>>
>> On 21/10/2015 23:53, Heather Flanagan wrote:
>>> Hello all,
>>>
>>> I've drafted up a short wiki page on the topic of challenges in the VO
>>> space. Basically, it's an expansion on my presentation at the REFEDS
>>> meeting earlier this month at Internet2's TechX.
>>>
>>> You can find the write up here:
>>> https://wiki.refeds.org/display/GROUP/Ongoing+Challenges+in+the+VO+Space
>>>
>>> Feedback is of course encouraged and welcomed!
>>> -Heather
>>>
> 
>