[Openid-specs-ab] OpenID Connect and virtual organizations
roland.hedberg at adm.umu.se
Wed Aug 15 12:42:10 UTC 2012
Richer, Justin P. skrev 2012-08-15 13:43:
> My first thought (without using distributed attributes) would be to
> use SCIM as an attribute authority, with users indexable by their
> issuer/user_id combinations.
Interesting idea, have to think about it.
> Then your services can go to the IDM to
> authenticate the user and make a call out to your own SCIM endpoint
> to get the extra attributes about them. If you could make that SCIM
> endpoint understand the OAuth2 tokens spit out by each IdM (either by
> using structured/signed tokens or an introspection endpoint at the
> IdM), all the better.
Yeah, but there's the rub.
If I have control over the OP implementations I could do this, but if
not is probably a non-starter.
> But are distributed claims really off the table? All the IdM needs is
> a pointer.
One added piece of information; the number of persons, that are members
of one specific VO, that comes from one specific organization, my vary
If the number is small our experience tells us that the admins at the
IdPs/OPs don't want to deal with it.
More information about the Openid-specs-ab