[Openid-specs-ab] OpenID Connect and virtual organizations

Roland Hedberg roland.hedberg at adm.umu.se
Wed Aug 15 12:49:55 UTC 2012


John Bradley skrev 2012-08-15 14:17:
> In the existing trust model the user is not involved in the
> authorization of the AA it would seem.

Correct!

> The VO might just use OAuth with the Agent credentials flow to access
> the AA.

Yes! I didn't think about that, but that is sort of equivalent to what
SAML2 specifies. It's one more step since the client first gets an
access token and then requests the user info, while SAML2 does all in
one message exchange.

> The question is if the VIMS needs to confirm information from the IdP
> directly.

Usually not, the information from the IdP and from the VIMS are normally
independent.

> Interesting problem.

It's a real world problem that we are struggling to find a viable
solution to right now.

-- Roland


More information about the Openid-specs-ab mailing list