Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In a traditional SAML flow the following happens. The goal is to enable user Aladár (A) to manage the authorisation of user Béla (B) authorization to service S, but in a way that this information is not maintained in S but in an external source, the Membership Management Service (MMS)

  1. A logs in on the web interface of the MMS, a SAML SP and an account is created.
  2. A creates a Virtual Organization / Community / Group - terminology depends on the actual tool but let's call it (VO)
  3. A wants to invite B to his VO. In order to do this, he needs an email address to B. This email address serves as a trust anchor for the moment, therefore it needs to really belong to B and not be comprimisedcompromised.
  4. A sends an email invitation to B with a link containing a token. 
  5. B follows the link to the web interface of the MMS, prompted for login. may already have a login (for previous participation in other VOs) or needs to create a new one. may log in with a federate account but it could be the case that there is none, and a local account is created or a VHO account is used. This scenario is made possible by the fact that really the access to the email inbox is what provides the trust for the VO membership.
  6. After creating/accessing a local account, the token sent in the link is processed and B's account is now associated with the VO
  7. will eventually access a service that needs this membership information, commonly called entitlement.
    1. The service will perform a login flow
    and then
    1. with B's user identifier queries the MMS backend, for instance a SAML AA or an integration. This requires the usage of the same user identifier that was used at the MMS, typically a common OIDC/SAML source.
  8. A may revoke the entitlement at any time, which will take effect at the next session: the service accessed will query the MMS and will not get the entitlement.


Gliffy Diagram
macroId7241fc33-aaa4-4c7c-addd-026881ab3da9
displayNameTraditional MMS flow
nameTraditional MMS flow
pagePin4


With the introduction of DI4R, the flow may be significantly simplified. 

...

With this solution does not have to use the same login (i.e. the MMS and the target SERVICE do S do not need to be in the same federation). Possibly, B can receive the card at a page maintained by the DI4R provider.