Subject Re: VO challenges - article
From David Chadwick <d.w.chadwick@xxxxxxxxxx>
Date Thu, 22 Oct 2015 11:57:59 +0100

But isn't this a protocol issue? The SP can demand this in the request
cant it? (certainly in our Shib implementation we can ask for either
persistent or transient and both work)


On 22/10/2015 11:00, Basney, Jim wrote:
> IdPs don't release the SAML persistent ID. That is the problem. It is a
> policy problem, not an implementation problem.
> -Jim
> On 10/22/15, 11:56 AM, David Chadwick wrote:
>> But this is a requirement of the SAML persistent ID is it not? So if the
>> implementation is working correctly, the IdP should not have anything to
>> do to ensure this.
>> David
>> On 22/10/2015 10:52, Basney, Jim wrote:
>>> I agree on the need for a VO attribute service but that does not
>>> eliminate
>>> the need for at minimum a non-reassigned persistent identifier attribute
>>> to be released by the IdP (i.e., the "minimal subset of the R&S
>>> attribute
>>> bundle"). We can't say that "attribute release is no longer the problem"
>>> or "IdPs don't need to change" until IdPs will release at least this
>>> minimal attribute (bundle) for VO users so the VO managers have a
>>> user identifier to which VO attributes can be attached via a VO
>>> attribute
>>> service.
>>> -Jim
>>> On 10/22/15, 11:36 AM, David Chadwick wrote:
>>>> Hi Heather
>>>> I have read your wiki and thanks for putting it together. However, I
>>>> think you miss a fundamental point in your article, unless I have
>>>> misread it. You say that attribute release is a fundamental
>>>> requirement,
>>>> but I don't see it quite that way. I dont think that IdPs will ever
>>>> release the right set of attributes for VOs. Why? Because they are
>>>> unable to. They dont know the right roles to assign to the various VO
>>>> participants in the first place. Only the VO managers know this. And
>>>> IdPs wont let VO managers update user attributes in their database. So
>>>> if IdPs dont know which attributes users should be assigned, they can
>>>> never release them, even if they were willing to.
>>>> For this reason I think we need a VO service that will allow the VO
>>>> managers themselves to add assign the right roles to the VO users, and
>>>> that RPs are given the right tools to seamlessly integrate the
>>>> attributes/roles from the VO service with the authentication and
>>>> limited
>>>> attribute assertions from the IdP. In this way IdPs dont need to
>>>> change.
>>>> Attribute release is no longer the problem. Instead VO attribute
>>>> assignment and aggregation replaces it.
>>>> I believe that this is what Comanage and our VO work in Openstack are
>>>> both doing.
>>>> regards
>>>> David
>>>> On 21/10/2015 23:53, Heather Flanagan wrote:
>>>>> Hello all,
>>>>> I've drafted up a short wiki page on the topic of challenges in the VO
>>>>> space. Basically, it's an expansion on my presentation at the REFEDS
>>>>> meeting earlier this month at Internet2's TechX.
>>>>> You can find the write up here:
>>>>> e
>>>>> Feedback is of course encouraged and welcomed!
>>>>> -Heather