[Openid-specs-ab] OpenID Connect and virtual organizations

Nat Sakimura sakimura at gmail.com
Fri Aug 17 09:35:18 UTC 2012

Hi Roland.

One of the challenge is that IdP may not know about the AA and the
access token is opaque.

Maybe something like this would solve your problem?


Nat Sakimura

On 2012/08/15, at 21:50, Roland Hedberg <roland.hedberg at adm.umu.se> wrote:

> John Bradley skrev 2012-08-15 14:17:
>> In the existing trust model the user is not involved in the
>> authorization of the AA it would seem.
> Correct!
>> The VO might just use OAuth with the Agent credentials flow to access
>> the AA.
> Yes! I didn't think about that, but that is sort of equivalent to what
> SAML2 specifies. It's one more step since the client first gets an
> access token and then requests the user info, while SAML2 does all in
> one message exchange.
>> The question is if the VIMS needs to confirm information from the IdP
>> directly.
> Usually not, the information from the IdP and from the VIMS are normally
> independent.
>> Interesting problem.
> It's a real world problem that we are struggling to find a viable
> solution to right now.
> -- Roland
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list