as we start to implement v2.1 of the GlueSchema for the EGI federated cloud we have realised that we miss some VO specific information and we are unsure how/where is the best way to publish this: 

Users belong to several VOs and sites may support more than one of  those. When users authenticate against a given endpoint, the endpoint will return a list of local projects/groups that the users is allowed to use. Each project/group supports a VO in our current implementation. While in the past this was not an issue since the user authenticated with a VOMS proxy that only contained information a single VO and therefore the endpoint would just return a single project. Now with the transition to federated identity, the endpoint will receive claims on every VO the user is member of and there is no way for the user to determine which local project/group to use. 

We would need a way to publish a site-defined identifier of the project/group that supports each VO at a given site, so user could just match the VO with that id and select the appropriate one during authentication.

We have checked the current draft of the schema and haven't seen a clear place to publish this kind of information. Our current guess would be to include this in the  AccessPolicy or MappingPolicy. Since in our implementation we are using shares as a way to express VO information probably for us the MappingPolicy is the best fit, but would like to get your input on the best way to proceed.

PS: I tried to submit this email before being subscribed, so apologies if it gets sent twice.