OpenAthens SP software end of life is approaching.
Keystone, Wayfinder and the OpenAthens federation are unaffected.

Search

Skip to end of metadata
Go to start of metadata

IdPs can have several organisational units, especially if they are large or multinational. In these large organisations, the different units may need to access different resources, or where the same resource is accessed they may need different subscription levels. We call these types of IdP a consortia domain.

In a federation, the scope is used to identify organisations, and it is also used to differentiate organisational units (or sub-organisations) when necessary. In the OpenAthens federation this is done by adding an additional identifier in front of the domain scope - e.g:

WhereScope is

Organisational units will not need to be differentiated

customer.com

Organisational units will need to be differentiated

(an identifier is included for the domain organisation)

identifier1.customer.com

An organisational unit within the consortia needs to be uniquely identified - e.g. an NHS Trust, or a multinational corporations' national office

(uses a scope with a different identifier)

identifier2.customer.com

An organisational unit within the consortia does not need to be uniquely identified - e.g. a GP surgery within an NHS Trust, or a branch office.

(uses the same scope as its parent organisation)

identifier1.customer.com

The identifier used is their OpenAthens organisation number and you can see a good example of this via the NHS England organisation list: http://login.openathens.net/org-list

How this applies to authorisation

Where a customer is a consortia domain and if they are purchasing on behalf of the whole domain, they would supply their scope as *.customer.com. Individual organisational units would supply their discrete scope if they were purchasing different content.

If you sell or plan to sell to this kind of consortia, your authorisation process will need to be flexible enough to match on a wildcarded scope as well as discrete scopes.

Examples:

  • The NHS England wildcarded scope would be *.eng.nhs.uk.
  • NHS England trust specific scopes would look like 1345345.eng.nhs.uk, 9853784.eng.nhs.uk, 1047384.eng.nhs.uk... etc.

How this benefits you and your users

Because the targeted IDs used in federated access management are generated based on entity IDs, this means that where a user moves around their consortia domain, the identifier you see for them stays the same so can be used for personalisation, but the scope that is passed for them can change which means they see the content appropriate to whichever part of the consortia they currently belong to.

Using NHS England as an example again, this might be when a doctor finishes their rotation and moves to another hospital or practice.

  • No labels