OpenConext: enabling Federated Team Management, Group-Aware SPs, and SP Shop-Fronts 

Federated identity and access management has seen wide adoption in less than a decade. Identity Providers (IdPs) provide user authentication and user information for which the IdP is authoritative to Service Providers (SPs). In general, in order for Services to make authorisation decisions, user information other than that available from an IdP, and for which the IdP is not authoritative, is required. In particular, many Services would benefit from being 'Group-Aware'; that is, being able to obtain information on a user's group/team/VO membership and roles. As Australia's NREN, AARNet plans to deliver group-aware collaboration services (e.g. future Cloudstor, VideoConferencing Management tools). 

SURFnet's OpenConext federated identity management platform provides for group/team/VO management, and an OpenSocial-based API enabling SPs to securely request a user's team information. OpenConext provides a "Team" application based on Internet2's Grouper for secure Team management. OpenConext uses the OAuth-based OpenSocial API to enable services to securely query team information for users, including user consent. OpenConext is, in fact, a total Federated Identity Management solution used by SURFnet. Its architecture allows it to be used in an 'IdP-SP-proxy' mode which allows it to present a number of SPs behind a single 'shop-front'. 

We will describe OpenConext technology, AARNet's experience with OpenConext and collaboration with SURFnet, and AARNet's plans to use OpenConext's Team Management, Team Information API, as well as the OpenConext IdP-SP Proxy functionality.