[Openid-specs-ab] OpenID Connect and virtual organizations

Roland Hedberg roland.hedberg at adm.umu.se
Wed Aug 15 05:22:47 UTC 2012


Hi,

I (the academia) have a use case that I'd like your input on.

Within the higher education/research community it's very common that you
form virtual organizations (VO) crossing organization boundaries.

Such VOs are normally built around some common resource:
- a set of databases
- expensive hardware
- a specific service instance
Just to give some examples.

What's also common is that the members of the VO may differ in their
roles within the VO and what kind of access they would have to the
resource/-s.
This leads to the need for an identity management system for the VO.
Let's call it VIMS (VO Identity Management System).

The VIMS is separate from the IDM at the home organization.
And normally the home organization is not even aware of it's existence.

So, in the SAML2 world the VIMS could be represented as an Attribute
Authority (AA).
The normal pattern would then be that the researcher would initiate her
membership in the VO by connecting to the VIMS, using the home
organizations IdP for authentication. Once that is done VO specific
information about the person can be added to the VIMS.

Later when the researcher wants to access a VO resource she will
authenticate using the home organizations IdP and then would get the VO
identity from the AA. All this is supported by the SAML2 specification.
Noteworthy is that there is no authentication of the researcher to the
VIMS at this point of time. The VIMS will only be given an identifier
for the researcher and will release the identity information because it
trusts the SAML2 SP that is connected to the VO resource.

So, how would one go about doing this in an OpenID Connect (OIC) context ?
We can't use aggregated or distributed claims because the OP doesn't
know about the VIMS.
One could possibly regard the VIMS information as a resource that the VO
RP wants access to. But that would mean that the token released by the
OP would have to be interpreted and understood by the VIMS.

Ideas ? Comments ? Other ways of doing this ?

-- Roland


More information about the Openid-specs-ab mailing list