$Id: switch-vo-demo.txt 152 2009-10-20 05:55:16Z andreas $- Author: Lukas Hämmerle, SWITCH, lukas.haemmerle@switch.ch
I found some time to complete the Virtual Organization Proof-of-Concept platform Thomas and I described in Vienna recently.
It uses standard Shibboleth IdPs and SPs configured for simple attribute aggregation together with the Group Management Tool that first had to be adapted to store data in a MySQL database. No black magic, hacks or code changes of any kind were necessary for this PoC. Currently it still uses the swissEduPersonUniqueID (opaque version of the eduPersonPrincipalName) as identifier for VO services and not yet the eduPersonTargetedId that is intended to be used later on.
Before you start playing around with this PoC, it might be best to have a look at this graphic:
It shows the very basic setup of this proof of concept taking the user "w.tell" as an example user.
To access the VO service and see the VO attributes, access the above URL, on the WAYF choose "AAI Test Home Organisation (Shibboleth 1.3)" as Home Organisation and then w.tell/demo as loginname/password Have a look at the entitlement attributes. All attributes starting with "vo-attribute:" come from the VO platform. There is also one attribute that comes from the user's Home IdP.
To administer the VO groups quit the web browser, restart it and follow do this:
- Access the above URL, on the WAYF choose "AAI Test Home Organisation (Shibboleth 1.3)" as Home Organisation and then
- use voadmin/demo as loginname/password.
- Add the user "w.tell" for example to the group "DieEidgenossen" and
- try to access the VO service above again as "w.tell" after quitting and restarting the web browser.
User Identity Providers: For testing with other users you can in principle use any IdP in the AAI Test federation but in particular you might use these two IdPs: - AAI Test Home Organisation (Shibboleth 1.3) Users: "w.tell", "voadmin" with password "demo"
- AAI Demo Home Organisation (Shibboleth 2.x) Users: "demouser", "demouser2", "umlauttest" with password "demo"
Testing: What you should care about is the entitlement attribute on the VO service. The entitlement values that are available depend on the groups and roles in the GMT of the user that accesses the VO service. You should e.g. see a value "vo-attribute:SwissResistance:groupAdmin" if a user groupAdmin of group SwissResistance.
You can play around with the membership of that or another user within GMT. If you add or remove the user William Tell (see PS) to and from groups, this should be reflected in the entitlements of the VO Service. One can also add and remove groups. No Invitations emails are sent but the invitations links are of the form:
https://dieng.switch.ch/gmt/registration/confirmUser.php?data=#TOKEN#and could also be composed and used "manually".
Be aware that changes to a user's group information are only reflected for new logins with that user account. So, you might have to quit the browser and log in again to a VO service after you added a user to a new group. Clicking on the "Reset Database" button overwrites any changes with default data for this PoC. This of course could lead to problems if multiple users are testing. Therefore, remember this in case you are not getting the expected result :-)
If you have questions or suggestions on this PoC, please let me know :)
