[Openid-specs-ab] OpenID Connect and virtual organizations

Roland Hedberg roland.hedberg at adm.umu.se
Wed Aug 15 12:42:10 UTC 2012

Richer, Justin P. skrev 2012-08-15 13:43:
> My first thought (without using distributed attributes) would be to
> use SCIM as an attribute authority, with users indexable by their
> issuer/user_id combinations. 

Interesting idea, have to think about it.

> Then your services can go to the IDM to
> authenticate the user and make a call out to your own SCIM endpoint
> to get the extra attributes about them. If you could make that SCIM
> endpoint understand the OAuth2 tokens spit out by each IdM (either by
> using structured/signed tokens or an introspection endpoint at the
> IdM), all the better.

Yeah, but there's the rub.
If I have control over the OP implementations I could do this, but if
not is probably a non-starter.

> But are distributed claims really off the table? All the IdM needs is
> a pointer.

One added piece of information; the number of persons, that are members
of one specific VO, that comes from one specific organization, my vary
from 1-many.
If the number is small our experience tells us that the admins at the
IdPs/OPs don't want to deal with it.

-- Roland

More information about the Openid-specs-ab mailing list