• Security & Identity
• Authentication
  • About AAI
    • Introduction
    • Federation
    • Shibboleth
    • Stay Informed
    • Glossary
  • Participants
  • Join AAI
  • Support & Downloads
  • Demo
  • Contact
• Computer Emergencies
• Certificates

Virtual Organization Concept

This page provides some information about the Virtual Organization proof-of-concept platform that SWITCH set up in late 2009. Very briefly described the main idea is to configure one or more Service Providers to use Shibboleth's simple attribute aggregation feature and use an identifier attribute in a NameID that is known at:

• User's Home Organisation
• VO Service(s)
• VO Platform

As is show in the graphic below, this setup allows a VO Service Provider to aggregate attributes for a user from two sources, the user's Home Organisation and the VO Platform. The user must be known by a shared ID (in this case the swissEduPersonUniqueID/eduPersonPrincipalName) at all involved components. On the VO platform, the user previously was added to two groups in that VO using an administration interface that manages the group memberships using a database, which is connected to a standard Shibboleth Identity Provider. The membership for each of these groups then is expressed on the VO service side by a (VO) attribute, whose value in this case is stored in the eduPersonEntitlement attribute.
Please have a look at the presentations below in order to get a better picture of this concept and after that, either watch the screencast (10 minutes) and/or try out the demo yourself.

Documents

• VO Writeup (by Chad la Joie)
• VO Design Document (by Chad la Joie)

Presentations

• Terena Network Conference 2010 presentation: Virtual Organizations: A New Implementation Approach Using SAML Attribute Aggregation (June 2010)
• Terena Eurocamp presentation: About augmented (attribute) reality: VO management with Shibboleth 2 (November 2009)
• VO Demo Screencast

Setup and Configuration

The VO proof-of-concept uses standard Shibboleth Identity Providers and Service Providers configured for simple attribute aggregation together with the Group Management Tool that serves as simple VO group administration interface.
No black magic, hacks or code changes of any kind were needed. Currently, the swissEduPersonUniqueID (opaque version of the eduPersonPrincipalName) or the eduPersonPrincipalName are used as shared IDs. Later, the eduPersonTargetedId is intended to be used once support for the Affiliation descriptor in the IdP was implemented.

Involved Components

VO Service
To access the VO service and see the VO attributes, access the above URL, on the WAYF choose "AAI Test Home Organisation (Shibboleth 1.3)" as Home Organisation and then w.tell/demo as loginname/password Have a look at the entitlement attributes. All attributes starting with "vo-attribute:" were released by the VO platform. There is also one entitlement attribute that was released by the user's Home Organisation.

What you should care about is the entitlement attribute on the VO service. The entitlement values that are available depend on the groups and roles in the GMT of the user that accesses the VO service. You should e.g. see a value "vo-attribute:SwissResistance:groupAdmin" if a user groupAdmin of group SwissResistance. Once you are authenticated, also have a look at the assertions ("Show Shibboleth assertions"). You should see three assertions and the last one should be issued by the VO Platform containing the VO attributes in an attribute statement.

VO Platform administration:
To administer the VO groups quit the web browser, restart it and do this: Open the VO Platform link, on the WAYF choose "AAI Test Home Organisation (Shibboleth 1.3)" as Home Organisation and then use voadmin/demo as loginname/password. Add the user "w.tell" for example to the group "DieEidgenossen" and then try to access the VO service above again as "w.tell" after quitting and restarting the web browser.

User Identity Providers:
For testing with other users you can in principle use any IdP in the AAI Test federation but in particular you might use these two IdPs:

• AAI Test Home Organisation (Shibboleth 1.3)
  Users: "w.tell", "voadmin" with password "demo"
• AAI Demo Home Organisation (Shibboleth 2.x)
  Users: "demouser", "demouser2", "umlauttest" with password "demo"

You can play around further with the membership of that or another user. If you add or remove the user William Tell (see Varia below) to and from groups, this should be reflected in the entitlements of the VO Service. One can also add and remove groups.

Be aware that changes to a user's group information are only reflected for new logins with that user account. So, you might have to quit the browser and log in again to a VO service after you added a user to a new group. Clicking on the "Reset Database" button overwrites any changes with default data for this PoC. This of course could lead to problems if multiple users are testing. Therefore, remember this in case you are not getting the expected results :-)

If you have questions or suggestions regarding this PoC, please let us know.

Varia

If you are wondering who William Tell is, please read http://en.wikipedia.org/wiki/William_Tell