On Thu, Jan 29, 2009 at 7:37 AM, arpit jain <[email protected]> wrote: > > I want to know about Shibboleth Interoperability with Attribute Retrieval > through VOMS which is described in below doc: > https://edms.cern.ch/cedar/plsql/doc.info?document_id=807849
This document describes how SWITCH leverages their Shibboleth-based AAI to combine campus attributes with VO attributes in a single VOMS attribute certificate. Their approach is to periodically push campus attributes into VOMS, as opposed to calling out to the Shibboleth Attribute Authority on demand. > What is the advantage of using Shibboleth attributes in addition to > attributes given by VOMS? You can read the article to see the kinds of campus attributes SWITCH is including in VOMS ACs. In general, there's a distinction to be made between campus attributes and VO attributes. I might have a campus attribute that says "trscavo is a staff member at the University of Illinois" and a VO attribute that asserts "trscavo works for the TeraGrid Science Gateway Program." The University of Illinois doesn't know (or care) what projects I'm working on, but a relying party on the Grid certainly will, so the conclusion is that campus attributes are not sufficient for grid authorization (which is why VOMS is so popular, in fact). But VO attributes are not sufficient either since the campus is authoritative for attributes that the VO can never know (with certainty). For example, the Grid relying party may need to know the user's affiliation (e.g., University of Illinois) so it can charge the grid resource usage to a campus-wide allocation. Perhaps more importantly, the campus is a natural source of vetted identity. The University of Illinois will readily assert that I am in fact trscavo, which is something that the VO can leverage. A VO, by its very nature, is unable to vet its members (at scale) so the ability of the VO to federate the user's identity with the campus is a big win. As Alan mentioned, the VOMS server now issues SAML assertions (in lieu of attribute certificates) so we're seeing a convergence of token formats, which is good. This means that a SAML attribute assertion from the Shibboleth (campus) Attribute Authority can be combined with a SAML attribute assertion from the VOMS Attribute Authority, both of which are presented to a Grid relying party. The SWITCH approach is one possible solution to this problem. You can read the paper for a description of other solutions. Hope this helps, Tom
