Subject Re: VO challenges - article
From "Cantor, Scott" <cantor.2@xxxxxxx>
Date Tue, 27 Oct 2015 02:42:01 +0000

On 10/26/15, 10:27 PM, "Jones, Mark B" <Mark.B.Jones@xxxxxxxxxxx> wrote:

>[Mark] Either I have missed the point or you have.
>Sysadmins managing user their user's attributes for the purposes of their 
>institution is something that I would consider to be "their job", but managing 
>VO specific attributes for VO purposes is not only not "their job" but it is 
>unrealistic to expect ... which is what I thought was the point.

That's an arbitrary distinction. VOs are nothing different than any other federated application on a campus, and most of those apps would be just as happy to be rid of central IT (and I can't really blame them seeing as I work in that capacity, I know what we're like).

>[Mark] It may be useful to debate a very specific example.  What tools are you 
>envisioning that institutions should provide to external entities for managing 
>user attributes?

The same tools I imagine they already use themselves because they're forced to run them to make up for the lack of support from the organizations for which those users work.

It doesn't really matter whether you agree with me or not on what is appropriate for the campuses to be doing. The point I was making is that the end result of that strategy is to bypass the campuses entirely, and I'm simply observing that.

>[Mark] The applications are better positioned to provide authorization, but 
>NOT to provide authentication.  I am a campus LMS operator.  We do leverage 
>LTIs.  But our LMS uses Shib instead of the LMS built in authentication.

Same road. Eventually the IdP will be removed from that picture; the important IdP in that exchange is the LMS.

The important function of an IdP is the attributes it provides, not the authentication. We have always differed on that, I think.

-- Scott

Attachment: smime.p7s
Description: S/MIME cryptographic signature