Subject RE: VO challenges - article
From "Jones, Mark B" <Mark.B.Jones@xxxxxxxxxxx>
Date Tue, 27 Oct 2015 16:52:38 +0000

> >[Mark] What exactly is an arbitrary distinction?  My opinion is that VOs
> >(external services) are, by definition, different than on campus (internal)
> >applications.
> I don't share that opinion, or perhaps I should say that if I did, I would 
> conclude
> that federation with campuses is fairly pointless. That's the different 
> conclusion
> we're coming to. You want to preserve one minor use case (authentication)
> when I would dismiss that as relative easily fungible.
[Mark] I think you put me in too small a box.  I think Institutional 
attributes are valuable, just not for authorization.

> >There is no vested interest for an institution to maintain
> >attributes in support of an external service.  If an institution has no
> >internal reason to maintain an attribute then why would it bother?
> That's the same argument many campuses use to explain why they're not
> supporting R&S. Thus my conclusion that it's pretty much hand in hand.
[Mark] The R&S attribute set, if I remember, only include attributes that 
institutions should be maintaining for their own purposes.  The fact that 
external services are also interested is not an argument to stop maintaining 

> >[Mark] I still have no idea what tools you are referring to.  It sounds 
> >like
> >you are suggesting that institutions should allow external entities to make
> >changes to their internal user's attributes by providing some sort of 
> >tools.
> >And I don't see how this scales.  Is the VO supposed to manage their user's
> >attributes using a suite of duplicated tools supplied by every IdP that any
> >one of their users is associated with?
> If it comes to it (again, I'm not speaking to what "works" but what the
> consequence of it "not working" really is). But I think there would be 
> better
> models, such as data flows between the VOs and the campuses to effect the
> provisioning of attributes. Such tools may or may not exist at this point. 
> As you
> note, it's moot, because so many campuses have washed their hands of the
> idea because it gets them out of doing anything at all.
[Mark] I'm still not understanding what you think campuses should be doing in 
support of VOs.  I suspect that a concrete example would help.

> >[Mark] We must have an issue with vocabulary.  The only 'authentication
> >provider' in the exchange is our local IdP.  And we would be changing LMS
> >vendors if they stopped supporting using our IdP for authentication.
> I said IdP, not authentication provider. IdP has a broader functional scope 
> in
> SAML than just authentication. Once you have a proxy IdP that's doing all 
> the
> real work of attributes and provisioning and so forth, the small bit left is 
> easy to
> replace with a commodity.
> >[Mark] I'm not sure what you mean by "important".  I can agree that
> attributes
> >are important, but are you really saying that authentication is not 
> >important?
> I'm saying it's easily fungible and not much of a reason for people to deal 
> with
> campus IT.
> -- Scott
[Mark] Is it easy to replace authentication with a commodity?  Are you 
suggesting that it would be easy to replace campus authentication with Google 
or some other external authentication provider?  If that is true then why 
would campus IT bother continuing to provide that service?
Maybe we should start talking about 'attribute providers' and 'authentication 
providers' instead of IdPs?

Attachment: smime.p7s
Description: S/MIME cryptographic signature