Subject Re: VO challenges - article
From "Leif Johansson" <leifj@xxxxxxxx>
Date Tue, 27 Oct 2015 15:21:14 +0900

> 27 okt 2015 kl. 11:42 skrev Cantor, Scott <cantor.2@xxxxxxx>:
> On 10/26/15, 10:27 PM, "Jones, Mark B" <Mark.B.Jones@xxxxxxxxxxx> wrote:
>> [Mark] Either I have missed the point or you have.
>> Sysadmins managing user their user's attributes for the purposes of their 
>> institution is something that I would consider to be "their job", but managing 
>> VO specific attributes for VO purposes is not only not "their job" but it is 
>> unrealistic to expect ... which is what I thought was the point.
> That's an arbitrary distinction. VOs are nothing different than any other federated application on a campus, and most of those apps would be just as happy to be rid of central IT (and I can't really blame them seeing as I work in that capacity, I know what we're like).

exactly - however VOs ICT/IDM has one edge: they are embedeed in the process of research

you might conclude that the campus model and its support functions is no longer a perfect fit for (some forms of) research and we're seeing one aspect of that in our corner of the universe

>> [Mark] It may be useful to debate a very specific example.  What tools are you 
>> envisioning that institutions should provide to external entities for managing 
>> user attributes?
> The same tools I imagine they already use themselves because they're forced to run them to make up for the lack of support from the organizations for which those users work.
> It doesn't really matter whether you agree with me or not on what is appropriate for the campuses to be doing. The point I was making is that the end result of that strategy is to bypass the campuses entirely, and I'm simply observing that.
>> [Mark] The applications are better positioned to provide authorization, but 
>> NOT to provide authentication.  I am a campus LMS operator.  We do leverage 
>> LTIs.  But our LMS uses Shib instead of the LMS built in authentication.
> Same road. Eventually the IdP will be removed from that picture; the important IdP in that exchange is the LMS.
> The important function of an IdP is the attributes it provides, not the authentication. We have always differed on that, I think.
> -- Scott