As organizations and technologies take advantage of federated user models, new identity management problems appear and require thought. One of those problems lies in the groups and group management. This document describes two categories of that touch on groups in a federated environment: groups with federated members, and federated groups.
Groups are used for a wide variety of things, including managing access control at scale. In looking at groups with federated members versus federated groups, we see two different approaches to bringing group management and federation together.
Groups with Federated Members
An organization that starts down the path of federated access often start by including users from other organizations that authenticate using federated technologies (called "federated users" for the sake of this discussion) in their various access management systems. In particular, those users may be placed as members of local groups.
Use Case
- A virtual organization (VO) uses Grouper as a group management system. Members of the VO authenticate to use VO applications and services via Shibboleth; the VO does not create accounts in the traditional sense, instead relying on federated authentication. The VO manages access and authorization by means of the groups defined in Grouper. The members of the groups are federated users.
Local groups, federated users
Federated Groups
Organizations that rely more heavily on federated technologies to handle their complex identity and access management needs may go beyond local groups with federated members and allow for groups created and managed by other trusted organizations.
Use Case
- A science VO signs a Memorandum of Understanding (MoU) with another VO. The agreement covers the sharing of data and tools, and the management of accounts within each individual VO is opaque to the other. Rather than enter in to a lengthy discussion of which users need to be added to each others groups, the first VO accepts entire group information from the other VO.
Federated groups, federated users)
Other activities in this space
- Read-only access to groups: VOOT
Open questions
- Should there be an open group management API for ease of integrated federated groups and groups with federated members in to an organizations group management infrastructure? What would such an API look like?