myVocs is a virtual organization collaboration system (VOCS) developed at the University of Alabama at Birmingham funded by NSF ANI-0330543 "NMI Enabled Open Source Collaboration Tools for Virtual Organizations". This page gives an overview of myVocs. See the attachment at the bottom of this page for a recent presentation.
The myVocs and GridShib project teams are exploring ways to integrate their respective software products. See the topic MyVocsGridShibIntegration for more information about the proposed integration.
Basically, myVocs is a SAMLIdPProxy, a bridge between a federation of Shibboleth IdPs and a federation of Shibboleth SPs:
<img src="http://gridshib.globus.org/images/profiles/myvocs-arch_files/image001.gif" alt="myVocs Architecture" /> |
Using myVocs, the SPs (called VO SPs) may be aggregated into virtual organizations (VOs). We think of VOs as people, and the aggregated SPs as a federated set of distributed applications. It is an important feature of myVocs that a single VO SP may serve multiple VOs.
Like the !IdPs, the VO SPs may reside in arbitrary administrative domains. Using off-the-shelf, open source software components (such as Shibboleth, !MySQL, and Sympa), myVocs provides the "glue" that authorizes access to a VO SP based on membership in some specific VO.
In myVocs, a VO includes of a set of tools or applications protected by VO SPs mutually trusted by a VO !IdP. The following diagram illustrates the relationship among the various myVocs components:
<img src="http://gridshib.globus.org/images/profiles/myvocs-protocol_files/image001.gif" alt="myVocs Protocol" /> |
Here is an outline of a typical myVocs flow for webapps:
Any number of webapps may be protected in this way. The topic OnBecomingVOSP describes the process of becoming a VO SP.
What attributes are captured and persisted at step 12? Today, myVocs requires the federation !IdP to release attribute eduPersonPrincipalName
, a globally unique identifier for the principal. This global identifier is permanently bound to a local identifier in the VO database. It is this binding that permits myVocs to determine the VO attributes associated with the user.
The local identifier is determined as a result of a one-time registration step. At the time of registration, the user's global identifier is bound to a local identifier in the VO database. A more flexible registration process is being implemented.
In the architecture diagram above, the myVocs SP relies on an ordinary WAYF for !IdP discovery. In fact, myVocs can provide an enhanced IdP discovery experience for the end user.