There are several typical deployments in which UVOS can be used. We present them below.
In the so called "pull mode" service (e.g. grid execution server, Unicore/X in case of UNICORE middleware) contacts UVOS server to obtain the attributes of a user which tries to use one of its services.
The attributes received from UVOS server can be used for authorization (e.g. server's policy may permit only those users which are in a certain UVOS group or possess some attributes). Also service may use received attributes for other purposes; for instance UNICORE can be configured to use a predefined (scoped) UVOS attribute as an information about local UNIX account of the requester. Attribute scope is used to distinguish mappings for multiple servers.
The PULL mode is depicted on the picture below:
Pull mode is transparent for grid users. However is more difficult for grid administrators to set up: every grid site must be correctly configured to use UVOS.
In so called "push mode" user first contacts UVOS server on her/his own and receives the list of possessed attributes in a signed assertion. Later this assertion can be attached to the requests send to grid services. If the service trusts assertion issuer (i.e. UVOS server which issued it) then it can use the attributes for authorization.
Note that user can ask UVOS server only for subset of owned attributes. In such a case user can hide part of her/his identity or alter the execution (e.g. choosing her/his the role to be used).
The PUSH mode is presented on the picture below:
Pull mode is more scalable in terms of server administration and easier to set up. However it requires more user interaction and thus is more suitable for advanced grid users.
UVOS can be used to authenticate web browser users. SAML 2.0 standard is used to achieve this functionality. To enable it you will need additional web application which provides a WWW login page - it is called uvos-webauthn and is available in UVOS distribution.
Details of this deployment can be reviewed in many places. E.g. see Wikipedia article http://en.wikipedia.org/wiki/SAML_2.0. UVOS uses POST binding. For more detailed, technical description see SAML 2.0 core specification, SAML 2.0 profiles and SAML 2.0 bindings documents. References can be found on the aforementioned Wikipedia page. Also it is the same style as Shibboleth 2.0 works (it was not tested but in principle it should be possible to use Shibboleth SP with UVOS).
