Uploaded image for project: 'COmanage'
  1. COmanage
  2. CO-193

Add ability to link org identities to COs




      Consider the VO-as-Enterprise model (ie: LIGO, iPlant, ESWN, etc). Consider a CMP hosting multiple VOs (ie: COmanage).

      The original design was that Organizational Identities (ie: foo@university.edu) would be CMP wide, and that all VOs hosted on the CMP would have access to all Organizational Identities. In the scenario where Organizational Attributes are basically self-asserted (ie: not being pulled from LDAP or SAML) this is fine.

      However, now consider the case where attributes are pulled from Organizational IdPs. There will be, presumably, some sort of attribute release policy whereby the IdP determines what attributes it is willing to release to what SP. Packaged attribute policies provided via federations can be ignored here. The worst case to consider is point to point attribute release policy, where the IdP will be agreeing to a policy with the VO, not the CMP.

      (The case where a CMP hosts only a set of related VOs with one encompassing policy reduces down to 1 CMP = 1 VO, and so does not change things.)

      (The VO-as-Federation model also reduces down to 1 CMP = 1 VO.)

      The COmanage data model needs to be updated so Organizational Identities can be attached to COs. If foo@university.edu wants to join both LIGO and ESWN, and both are hosted on the same COmanage CMP, then LIGO and ESWN will both have copies of foo@university.edu's attributes, subject to whatever relevant attribute release policies were put in place. (However, this behavior should be optional, so a CMP can share Organtizational Identities if it wishes.)




            benn.oshrin@at.internet2.edu Benn Oshrin
            benn.oshrin@at.internet2.edu Benn Oshrin
            0 Vote for this issue
            0 Start watching this issue