15 - Development for a Virtual Organization Platform: GakuNin-mAP and its Case Study in a Japanese Federation.

Kazutsuna Yamaji, Takeshi Nishimura, Motonori Nakamura, Noboru Sonehara (National Institute of Informatics), Hitoshi Inoue (Kyushu University)

The Japanese academic access federation, GakuNin, is deploying federated identify in Japan using the SAML 2.0 standard, primarily with Shibboleth software. GakuNin entered production operation in 2010, and has grown today to 25 IdPs and 20 SPs. Under current policy, GakuNin stipulates 16 attributes based on the eduPerson schema. However, additional group membership information, defined by virtual organizations and encoded into attributes, is desired by SP operators. This study developed a virtual organization platform named GakuNin-mAP for several typical organizations in our federation. GakuNin-mAP supports attribute aggregation using secondary attribute queries over a standard back channel protocol implemented by Shibboleth. GakuNin-mAP allows for the assignment of membership by two different mechanisms: a community can define its own groups in a bottom-up approach, and contracts can define groups from the top down. SNS, Wiki, and ML services utilize the former approach, while electronic journals, book services, and other content providers utilize the latter approach. Community services generally independently provide different access control depending on the membership attributes from GakuNin-mAP. Contractual services allow each SP to define a fixed attribute representing permission to use their service. The SP administrator can use the GakuNin-mAP interface to match group memberships to their unique SP attribute, generally based on the offline contract. Access rights can thus be checked against a simple permission-granting attribute without the need to check each membership attribute individually. This also permits desirous SP’s to outsource the access control configuration entirely. This poster explains GakuNin-mAP and its functionality in greater detail.

