...
- Aggregating the attributes provided by the IdP and the attribute authorities makes the configuration for the SP easier
- Easy to add new attribute authority tools or new IdPs to the pilot
- it can control the attributes and entitlements that are provided to the services
- For the authorization, services expect to receive certain attributes and entitlements with values in a given format
- Uniform attributes semantic and syntax across multiple communities/infrastructures will never happen
- Funnelling all AuthN AuthZ information through an IdP/SP proxy allows to rename/edit/control the attributes
- Idp Proxy can provide the group information in a different syntax than stored by the communities
On the Service Provider side, we can test the user authentication and authorization implementation on a widely deployed cloud framework by using federated identities:
- it is not necessary creating local accounts for the users; ephemeral ones will be used
- the access to the resources is regulated by the entitlements released by the IdP proxy and provided by one of the attribute authorities.
The current status of this work has been presented at the general AARC meeting in Utrecht in May 2016. See this Slide presentation for more details. SA1.2 Pilots. Updates
...