Refeds


Subject Re: VO challenges - article
From David Chadwick <d.w.chadwick@xxxxxxxxxx>
Date Thu, 22 Oct 2015 11:57:59 +0100

But isn't this a protocol issue? The SP can demand this in the request
cant it? (certainly in our Shib implementation we can ask for either
persistent or transient and both work)

David


On 22/10/2015 11:00, Basney, Jim wrote:
> IdPs don't release the SAML persistent ID. That is the problem. It is a
> policy problem, not an implementation problem.
> 
> -Jim
> 
> On 10/22/15, 11:56 AM, David Chadwick wrote:
>> But this is a requirement of the SAML persistent ID is it not? So if the
>> implementation is working correctly, the IdP should not have anything to
>> do to ensure this.
>>
>> David
>>
>> On 22/10/2015 10:52, Basney, Jim wrote:
>>> I agree on the need for a VO attribute service but that does not
>>> eliminate
>>> the need for at minimum a non-reassigned persistent identifier attribute
>>> to be released by the IdP (i.e., the "minimal subset of the R&S
>>> attribute
>>> bundle"). We can't say that "attribute release is no longer the problem"
>>> or "IdPs don't need to change" until IdPs will release at least this
>>> minimal attribute (bundle) for VO users so the VO managers have a
>>> user identifier to which VO attributes can be attached via a VO
>>> attribute
>>> service.
>>>
>>> -Jim
>>>
>>> On 10/22/15, 11:36 AM, David Chadwick wrote:
>>>> Hi Heather
>>>>
>>>> I have read your wiki and thanks for putting it together. However, I
>>>> think you miss a fundamental point in your article, unless I have
>>>> misread it. You say that attribute release is a fundamental
>>>> requirement,
>>>> but I don't see it quite that way. I dont think that IdPs will ever
>>>> release the right set of attributes for VOs. Why? Because they are
>>>> unable to. They dont know the right roles to assign to the various VO
>>>> participants in the first place. Only the VO managers know this. And
>>>> IdPs wont let VO managers update user attributes in their database. So
>>>> if IdPs dont know which attributes users should be assigned, they can
>>>> never release them, even if they were willing to.
>>>>
>>>> For this reason I think we need a VO service that will allow the VO
>>>> managers themselves to add assign the right roles to the VO users, and
>>>> that RPs are given the right tools to seamlessly integrate the
>>>> attributes/roles from the VO service with the authentication and
>>>> limited
>>>> attribute assertions from the IdP. In this way IdPs dont need to
>>>> change.
>>>> Attribute release is no longer the problem. Instead VO attribute
>>>> assignment and aggregation replaces it.
>>>>
>>>> I believe that this is what Comanage and our VO work in Openstack are
>>>> both doing.
>>>>
>>>> regards
>>>>
>>>> David
>>>>
>>>>
>>>> On 21/10/2015 23:53, Heather Flanagan wrote:
>>>>> Hello all,
>>>>>
>>>>> I've drafted up a short wiki page on the topic of challenges in the VO
>>>>> space. Basically, it's an expansion on my presentation at the REFEDS
>>>>> meeting earlier this month at Internet2's TechX.
>>>>>
>>>>> You can find the write up here:
>>>>>
>>>>> https://wiki.refeds.org/display/GROUP/Ongoing+Challenges+in+the+VO+Spac
>>>>> e
>>>>>
>>>>> Feedback is of course encouraged and welcomed!
>>>>> -Heather
>>>>>
>>>
>>>
> 
>