Virtual Organization Concept

This page provides technical information about the Virtual Organization (VO) proof-of-concept platform that SWITCH set up in late 2009. Very briefly described the main idea is to configure one or more Service Providers to use Shibboleth's simple attribute aggregation feature and use an identifier attribute as a NameID that is known at:

User's Home Organisation
One or more VO Services
VO Platform

As is show in the graphic below, this setup allows a VO Service Provider to aggregate attributes for a user from two sources, the user's Home Organisation and the VO Platform. The user must be known by a Shared Identifier (Shared ID) at all involved components. On the VO Platform, the user previously was added to the VO "Free Switzerland" using an administration interface that manages the group memberships using a database, which is connected to a standard Shibboleth Identity Provider. The membership for a VO then is expressed on the VO Service side by a (VO) attribute, whose value in this case is stored in the isMemberOf attribute.
It is also technically possible that groups and subgroups are created within a VO. The membership information for these groupse then also could be expressed by isMemberOf attribute values. Please have a look at the presentations below in order to get a better picture of this concept and after that, either watch the screencast (10 minutes) and/or try out the demo yourself.

Documents

Latest release of the VO Platform Design Document (work in progress)

Presentations

Terena Network Conference 2010 presentation: Virtual Organizations: A New Implementation Approach Using SAML Attribute Aggregation (June 2010)
Terena Eurocamp presentation: About augmented (attribute) reality: VO management with Shibboleth 2 (November 2009)
Screencast of current pilot installation:

Setup and Configuration

The proposed solution for implementing VOs uses standard Shibboleth Identity Providers and Service Providers configured for simple attribute aggregation together with a web-based administration interface.
No black magic, hacks or code changes of any kind were needed. For the proof-of-concept as well as for the pilot phase the swissEduPersonUniqueID (opaque version of the eduPersonPrincipalName) is used as Shared ID because the better solution (privacy-wise) with persistent IDs that are different for each VO for a user requires that all Identity Provider use at least Shibboleth 2.2. Unfortunately, this version is not yet deployed at many Home Organisations.

Involved Components

VO Service
If you are participating in the VO pilot, already are member of a VO and want to access a VO service and see the VO attributes, access the above URL, on the WAYF choose your Home Organisation and authentication at your Home Organisation. Back on the AAI Viewer have a look at the isMemberOf attributes. All attributes starting with "https://vo.switch.ch/" were released by the VO platform. If you see multiple values for this attribute, it could be that you are in one or more groups withing a VO or because you are member of one ore more VOs during the pilot phase. In addition, there is the displayName attribute which also was released by the VO Platform.

VO Platform administration:
To administer a Virtual Organization one of its administrators has to access the VO Platform administration interface. There, he can add new services, invite new members, set the Virtual Organization enrollment policy, name and description time etc. All of this is done via a web interface that is protected by AAI.

In order to become member of a VO, an AAI account is required because the whole concept heavily relies on AAI and its technologies.

If you have more details questions or suggestions regarding this concept, please let us know.

Varia

If you are wondering who is William Tell, please read http://en.wikipedia.org/wiki/William_Tell