COmanage Developers List

["RL 'Bob' Morgan" <>]

For anyone who didn't see this ...  - RL "Bob"

---------- Forwarded message ----------
Date: Tue, 29 Sep 2009 15:42:23 +0200
From: Lukas Haemmerle 
<>
Reply-To: 

To: TF-EMC2 
<>
Subject: [tf-emc2] VO Proof of Concept using Shibboleth simple attribute
    aggregation ready

It seems like attribute aggregation currently is a hot topic in the
federated identity management world :-) Although David was one day
quicker I would like to point your attention to another approach for
attribute aggregation, which is part of a Virtual Organizations use-case
that benefits from attribute aggregation.

All of it is based on the Virtual Organization Proof-of-Concept platform
that Thomas and I announced at the GEANT3 meeting in Vienna recently.
Slides from there can be found here:
http://www.switch.ch/aai/downloads/20090908-JRA3-SAML-VO-Platform.pdf

The PoC uses standard Shibboleth IdPs and SPs configured for simple
attribute aggregation together with the Group Management Tool that first
had to be adapted to store data in a MySQL database.
No black magic, hacks or code changes of any kind were necessary for
this PoC. Currently it still uses the swissEduPersonUniqueID (opaque
version of the eduPersonPrincipalName) as identifier for VO services and
not yet the eduPersonTargetedId that is intended to be used later on.

Before you start playing around with this PoC, it might be best to
have a look at this graphic:
http://www.switch.ch/aai/downloads/VOComponentsPoC_small.png

It shows the very basic setup of this proof of concept
taking the user "w.tell" as an example user.

----------------------------------------------------------

VO Service:
https://dieng.switch.ch/vo-enabled/?simple
To access the VO service and see the VO attributes, access the above
URL, on the WAYF choose "AAI Test Home Organisation (Shibboleth 1.3)" as
Home Organisation and then w.tell/demo as loginname/password
Have a look at the entitlement attributes. All attributes starting with
"vo-attribute:" come from the VO platform. There is also one attribute
that comes from the user's Home IdP.

----------------------------------------------------------

VO Platform administration:
https://dieng.switch.ch/gmt/administration/
To administer the VO groups quit the web browser, restart it and follow
do this:
Access the above URL, on the WAYF choose "AAI Test Home Organisation
(Shibboleth 1.3)" as Home Organisation and then use voadmin/demo as
loginname/password.
Add the user "w.tell" for example to the group "DieEidgenossen" and then
try to access the VO service above again as "w.tell" after quitting and
restarting the web browser.

----------------------------------------------------------

User Identity Providers:
For testing with other users you can in principle use any IdP in the AAI
Test federation but in particular you might use these two IdPs:
- AAI Test Home Organisation (Shibboleth 1.3)
  Users: "w.tell", "voadmin" with password "demo"

- AAI Demo Home Organisation (Shibboleth 2.x)
  Users: "demouser", "demouser2", "umlauttest" with password "demo"

----------------------------------------------------------

Testing:
What you should care about is the entitlement attribute on the VO
service. The entitlement values that are available depend on the groups
and roles in the GMT of the user that accesses the VO service. You
should e.g. see a value "vo-attribute:SwissResistance:groupAdmin" if a
user groupAdmin of group SwissResistance.

You can play around with the membership of that or another user within
GMT. If you add or remove the user William Tell (see PS) to and from
groups, this should be reflected in the entitlements of the VO Service.
One can also add and remove groups. No Invitations emails are sent but
the invitations links are of the form:
https://dieng.switch.ch/gmt/registration/confirmUser.php?data=#TOKEN#
and could also be composed and used "manually".

Be aware that changes to a user's group information are only reflected
for new logins with that user account. So, you might have to quit the
browser and log in again to a VO service after you added a user to a new
group. Clicking on the "Reset Database" button overwrites any changes
with default data for this PoC. This of course could lead to problems if
multiple users are testing. Therefore, remember this in case you are not
getting the expected result :-)

----------------------------------------------------------

If you have questions or suggestions on this PoC, please let me know :)

Cheers
Lukas

PS: If you are wondering who the h*** is William Tell? Well, read:
http://en.wikipedia.org/wiki/William_Tell

--
SWITCH
Serving Swiss Universities
--------------------------
Lukas Haemmerle, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 64, fax +41 44 268 15 68
,
 http://www.switch.ch