[Openid-specs-ab] OpenID Connect and virtual organizations

John Bradley ve7jtb at ve7jtb.com
Wed Aug 15 12:17:28 UTC 2012

In the existing trust model the user is not involved in the authorization of the AA it would seem.

The VO might just use OAuth with the Agent credentials flow to access the AA.

The question is if the VIMS needs to confirm information from the IdP directly.

There is probably a way to chain this so that the AA can get a id_token and access token for the user at the first login.

Interesting problem.


On 2012-08-15, at 12:22 AM, Roland Hedberg wrote:

> Hi,
> I (the academia) have a use case that I'd like your input on.
> Within the higher education/research community it's very common that you
> form virtual organizations (VO) crossing organization boundaries.
> Such VOs are normally built around some common resource:
> - a set of databases
> - expensive hardware
> - a specific service instance
> Just to give some examples.
> What's also common is that the members of the VO may differ in their
> roles within the VO and what kind of access they would have to the
> resource/-s.
> This leads to the need for an identity management system for the VO.
> Let's call it VIMS (VO Identity Management System).
> The VIMS is separate from the IDM at the home organization.
> And normally the home organization is not even aware of it's existence.
> So, in the SAML2 world the VIMS could be represented as an Attribute
> Authority (AA).
> The normal pattern would then be that the researcher would initiate her
> membership in the VO by connecting to the VIMS, using the home
> organizations IdP for authentication. Once that is done VO specific
> information about the person can be added to the VIMS.
> Later when the researcher wants to access a VO resource she will
> authenticate using the home organizations IdP and then would get the VO
> identity from the AA. All this is supported by the SAML2 specification.
> Noteworthy is that there is no authentication of the researcher to the
> VIMS at this point of time. The VIMS will only be given an identifier
> for the researcher and will release the identity information because it
> trusts the SAML2 SP that is connected to the VO resource.
> So, how would one go about doing this in an OpenID Connect (OIC) context ?
> We can't use aggregated or distributed claims because the OP doesn't
> know about the VIMS.
> One could possibly regard the VIMS information as a resource that the VO
> RP wants access to. But that would mean that the token released by the
> OP would have to be interpreted and understood by the VIMS.
> Ideas ? Comments ? Other ways of doing this ?
> -- Roland
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list