[Openid-specs-ab] OpenID Connect and virtual organizations

Richer, Justin P. jricher at mitre.org
Wed Aug 15 11:43:01 UTC 2012

My first thought (without using distributed attributes) would be to use SCIM as an attribute authority, with users indexable by their issuer/user_id combinations. Then your services can go to the IDM to authenticate the user and make a call out to your own SCIM endpoint to get the extra attributes about them. If you could make that SCIM endpoint understand the OAuth2 tokens spit out by each IdM (either by using structured/signed tokens or an introspection endpoint at the IdM), all the better.

But are distributed claims really off the table? All the IdM needs is a pointer.

 -- Justin
From: openid-specs-ab-bounces at lists.openid.net [openid-specs-ab-bounces at lists.openid.net] on behalf of Roland Hedberg [roland.hedberg at adm.umu.se]
Sent: Wednesday, August 15, 2012 1:22 AM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] OpenID Connect and virtual organizations


I (the academia) have a use case that I'd like your input on.

Within the higher education/research community it's very common that you
form virtual organizations (VO) crossing organization boundaries.

Such VOs are normally built around some common resource:
- a set of databases
- expensive hardware
- a specific service instance
Just to give some examples.

What's also common is that the members of the VO may differ in their
roles within the VO and what kind of access they would have to the
This leads to the need for an identity management system for the VO.
Let's call it VIMS (VO Identity Management System).

The VIMS is separate from the IDM at the home organization.
And normally the home organization is not even aware of it's existence.

So, in the SAML2 world the VIMS could be represented as an Attribute
Authority (AA).
The normal pattern would then be that the researcher would initiate her
membership in the VO by connecting to the VIMS, using the home
organizations IdP for authentication. Once that is done VO specific
information about the person can be added to the VIMS.

Later when the researcher wants to access a VO resource she will
authenticate using the home organizations IdP and then would get the VO
identity from the AA. All this is supported by the SAML2 specification.
Noteworthy is that there is no authentication of the researcher to the
VIMS at this point of time. The VIMS will only be given an identifier
for the researcher and will release the identity information because it
trusts the SAML2 SP that is connected to the VO resource.

So, how would one go about doing this in an OpenID Connect (OIC) context ?
We can't use aggregated or distributed claims because the OP doesn't
know about the VIMS.
One could possibly regard the VIMS information as a resource that the VO
RP wants access to. But that would mean that the token released by the
OP would have to be interpreted and understood by the VIMS.

Ideas ? Comments ? Other ways of doing this ?

-- Roland
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net

More information about the Openid-specs-ab mailing list