COmanage Developers List

Ken had a recent conversation with two of the ORCA/GENI PIs. They 
have a multi-tier application used by people from multiple campuses. 
They have an interesting use case for combining CO + Shib. Actually, 
they have a "poster child" example of how this would work for lots of 
different groups.

Now that we have Benn on board, and presumably working more than 20%, 
I'm wondering if we can think about constructing a demo vehicle that 
we could show in multiple venues.... I'd suggest starting by 
developing a "generic" demo. Then we could talk to individual groups 
(eg ORCA, the two groups identified in the NSF proposal, etc) about 
how they might align with the generic. There's an opportunity to demo 
the generic at an upcoming GENI conference (mid-July).

The attached slide shows the basic demo. Here are the steps:

1) Browser user goes to CO and "registers". Authn is done at the home 
campus IDP. (the VO manager then adds them to the appropriate group, 
or they are added automagically).

3) Browser user goes to the "portal". The  portal is protected by 
Shib; Authn is once again done at the home campus IDP. Shib is 
configured to obtain attributes describing the user from the CO 
instance. (aggregated identity).

5) Browser user "uses" a portlet within the portal. The portlet uses 
Shib's "delegated authn" support to login to a backend service as the 
browser user. The portlet sends a simple SOAP msg to the backend; the 
backend responds; the portlet displays the response. (This is almost 
identical to the proof-of-concept code that UNICON developed to test 
the delegated authN Shib support. "login to a backend service as the 
browser user" is handled by a library developed by UNICON)

Is that the generic use case ? I think so.....

So... here's my specific proposal.....

1) can Benn install a) a CO instance + Shib (he has to learn about 
it), and b) uportal, and c) the UNICON POC portlet within uportal. He 
brings an interesting skill set to the table....

2) I'll install and configure Shib around uportal and the backend svc 
(its a non-std Shib config, because of the use of aggregated identity 
+ delegated authN)

3) I can create the backend svc, protected by Shib. (Its the "hello 
world" of the SOAP universe)

4) Heather and I can work together on developing the script for the demo

Maybe I'm crazy... but I don't think this should be too much work... 
assuming we can get real/virtual machines for the environment..

And this same generic demo could be used with the National Labs crew, etc.

Thoughts ?

(I'm thinking that once we have a "generic" demo to show the ORCA 
PIs, the next step would be to construct a "real" demo that includes 
their portal and their backend service.... )

Attachment: Usage.ppt
Description: MS-Powerpoint presentation