Refeds


Subject Re: VO challenges - article
From "Basney, Jim" <jbasney@xxxxxxxxxxxx>
Date Thu, 22 Oct 2015 10:00:14 +0000

IdPs don't release the SAML persistent ID. That is the problem. It is a
policy problem, not an implementation problem.

-Jim

On 10/22/15, 11:56 AM, David Chadwick wrote:
>But this is a requirement of the SAML persistent ID is it not? So if the
>implementation is working correctly, the IdP should not have anything to
>do to ensure this.
>
>David
>
>On 22/10/2015 10:52, Basney, Jim wrote:
>> I agree on the need for a VO attribute service but that does not
>>eliminate
>> the need for at minimum a non-reassigned persistent identifier attribute
>> to be released by the IdP (i.e., the "minimal subset of the R&S
>>attribute
>> bundle"). We can't say that "attribute release is no longer the problem"
>> or "IdPs don't need to change" until IdPs will release at least this
>> minimal attribute (bundle) for VO users so the VO managers have a
>> user identifier to which VO attributes can be attached via a VO
>>attribute
>> service.
>> 
>> -Jim
>> 
>> On 10/22/15, 11:36 AM, David Chadwick wrote:
>>> Hi Heather
>>>
>>> I have read your wiki and thanks for putting it together. However, I
>>> think you miss a fundamental point in your article, unless I have
>>> misread it. You say that attribute release is a fundamental
>>>requirement,
>>> but I don't see it quite that way. I dont think that IdPs will ever
>>> release the right set of attributes for VOs. Why? Because they are
>>> unable to. They dont know the right roles to assign to the various VO
>>> participants in the first place. Only the VO managers know this. And
>>> IdPs wont let VO managers update user attributes in their database. So
>>> if IdPs dont know which attributes users should be assigned, they can
>>> never release them, even if they were willing to.
>>>
>>> For this reason I think we need a VO service that will allow the VO
>>> managers themselves to add assign the right roles to the VO users, and
>>> that RPs are given the right tools to seamlessly integrate the
>>> attributes/roles from the VO service with the authentication and
>>>limited
>>> attribute assertions from the IdP. In this way IdPs dont need to
>>>change.
>>> Attribute release is no longer the problem. Instead VO attribute
>>> assignment and aggregation replaces it.
>>>
>>> I believe that this is what Comanage and our VO work in Openstack are
>>> both doing.
>>>
>>> regards
>>>
>>> David
>>>
>>>
>>> On 21/10/2015 23:53, Heather Flanagan wrote:
>>>> Hello all,
>>>>
>>>> I've drafted up a short wiki page on the topic of challenges in the VO
>>>> space. Basically, it's an expansion on my presentation at the REFEDS
>>>> meeting earlier this month at Internet2's TechX.
>>>>
>>>> You can find the write up here:
>>>> 
>>>>https://wiki.refeds.org/display/GROUP/Ongoing+Challenges+in+the+VO+Spac
>>>>e
>>>>
>>>> Feedback is of course encouraged and welcomed!
>>>> -Heather
>>>>
>> 
>>