Subject Re: VO challenges - article
From "Basney, Jim" <jbasney@xxxxxxxxxxxx>
Date Thu, 22 Oct 2015 10:00:14 +0000

IdPs don't release the SAML persistent ID. That is the problem. It is a
policy problem, not an implementation problem.


On 10/22/15, 11:56 AM, David Chadwick wrote:
>But this is a requirement of the SAML persistent ID is it not? So if the
>implementation is working correctly, the IdP should not have anything to
>do to ensure this.
>On 22/10/2015 10:52, Basney, Jim wrote:
>> I agree on the need for a VO attribute service but that does not
>> the need for at minimum a non-reassigned persistent identifier attribute
>> to be released by the IdP (i.e., the "minimal subset of the R&S
>> bundle"). We can't say that "attribute release is no longer the problem"
>> or "IdPs don't need to change" until IdPs will release at least this
>> minimal attribute (bundle) for VO users so the VO managers have a
>> user identifier to which VO attributes can be attached via a VO
>> service.
>> -Jim
>> On 10/22/15, 11:36 AM, David Chadwick wrote:
>>> Hi Heather
>>> I have read your wiki and thanks for putting it together. However, I
>>> think you miss a fundamental point in your article, unless I have
>>> misread it. You say that attribute release is a fundamental
>>> but I don't see it quite that way. I dont think that IdPs will ever
>>> release the right set of attributes for VOs. Why? Because they are
>>> unable to. They dont know the right roles to assign to the various VO
>>> participants in the first place. Only the VO managers know this. And
>>> IdPs wont let VO managers update user attributes in their database. So
>>> if IdPs dont know which attributes users should be assigned, they can
>>> never release them, even if they were willing to.
>>> For this reason I think we need a VO service that will allow the VO
>>> managers themselves to add assign the right roles to the VO users, and
>>> that RPs are given the right tools to seamlessly integrate the
>>> attributes/roles from the VO service with the authentication and
>>> attribute assertions from the IdP. In this way IdPs dont need to
>>> Attribute release is no longer the problem. Instead VO attribute
>>> assignment and aggregation replaces it.
>>> I believe that this is what Comanage and our VO work in Openstack are
>>> both doing.
>>> regards
>>> David
>>> On 21/10/2015 23:53, Heather Flanagan wrote:
>>>> Hello all,
>>>> I've drafted up a short wiki page on the topic of challenges in the VO
>>>> space. Basically, it's an expansion on my presentation at the REFEDS
>>>> meeting earlier this month at Internet2's TechX.
>>>> You can find the write up here:
>>>> Feedback is of course encouraged and welcomed!
>>>> -Heather