[gin-auth] Multiple VO membership (Some ramblings and 1 question).
vwelch at ncsa.uiuc.edu
Thu May 4 06:23:19 CDT 2006
Couple comments on this topic.
With regards to GridShib work, there are enhancements available today
for GT 4.0.x at http://gridshib.globus.org that allow for Shibboleth
(i.e. SAML) Attribute based authorization and account mapping (which
work without requiring a grid-mapfile). These will be included out-of-
the-box in GT 4.1/4.2. I'm happy to answer any questions.
And these is VOMS support for GT4 as well, others who know more than
I have already commented.
With regards to a user choosing a VO when they have membership in
several, the accepted solution to this problem seems to be to use
"push" mode for attributes (or some designation of VO membership).
The idea being the user indicates their VO/Organization by which VOMS
server or Shibboleth Idp they choose to contact (and hence which
attributes they present to the relying party).
On May 3, 2006, at 8:41 AM, Diego R. Lopez wrote:
> David Bannon wrote:
>> Dane, we've been looking at that but have decided, at least for
>> now, the
>> end to end use is just not ready. So we'd dependant on gridmap
>> files and
>> they really are a very, very blunt weapon!
> Would not be this one of the cases for using dynamic attribute-based
> AAIs a-la-Shibboleth? The GridShib effort has been around for quite a
> while and I think could help in dealing with this kind of problems
> in a
> neat and secure way.
> Just a caveat for those of you who don't know me: I'm trying to bring
> you to my usual playground... I'm heavily involved with the GEANT2
> project in Europe (where we are building an inter-federation AAI) and
> with the Internet2 Shibboleth team.
> "Esta vez no fallaremos, Doctor Infierno"
> Dr Diego R. Lopez
> Red.es - RedIRIS
> The Spanish NREN
> e-mail: diego.lopez at rediris.es
> jid: drlopez at im.rediris.es
> Tel: +34 955 056 621
> Mobile: +34 669 898 094
More information about the gin-auth