Virtual Organization Concept
The architecture and technical aspects described on this page were used to create the SWITCHtoolbox service. If you want to test this approach yourself, create your own toolbox and start working together with the people you invite.
This page provides technical information about the Virtual Organization (VO) proof-of-concept platform that SWITCH set up in late 2009. Very briefly described the main idea is to configure one or more Service Providers to use Shibboleth's simple attribute aggregation feature and use an identifier attribute as a NameID that is known at:
- User's Home Organisation
- One or more VO Services
- VO Platform
As is show in the graphic below, this setup allows a VO Service Provider to aggregate attributes for a user from two sources, the user's Home Organisation and the VO Platform. The user must be known by a Shared Identifier (Shared ID) at all involved components. On the VO Platform, the user previously was added to the VO "Free Switzerland" using an administration interface that manages the group memberships using a database, which is connected to a standard Shibboleth Identity Provider. The membership for a VO then is expressed on the VO Service side by a (VO) attribute, whose value in this case is stored in the isMemberOf attribute.
It is also technically possible that groups and subgroups are created within a VO. The membership information for these groupse then also could be expressed by isMemberOf attribute values. Please have a look at the presentations below in order to get a better picture of this concept and after that, either watch the screencast (10 minutes) and/or try out the demo yourself.
- Latest release of the VO Platform Specification
- Terena Network Conference 2010 presentation: Virtual Organizations: A New Implementation Approach Using SAML Attribute Aggregation (June 2010)
- Terena Eurocamp presentation: About augmented (attribute) reality: VO management with Shibboleth 2 (November 2009)
- Screencast of a former pilot installation:
Setup and Configuration
The proposed solution for implementing VOs uses standard Shibboleth Identity Providers and Service Providers configured for simple attribute aggregation together with a web-based administration interface. No black magic, hacks or code changes of any kind were needed. For the proof-of-concept as well as for the pilot phase the swissEduPersonUniqueID (opaque version of the eduPersonPrincipalName) is used as Shared ID.
If you are wondering who is William Tell, please read http://en.wikipedia.org/wiki/William_Tell