IdPs can have several organisational units, especially if they are large or multinational. In these large organisations, the different units may need to access different resources, or where the same resource is accessed they may need different subscription levels. We call these types of IdP a consortia domain.
In a federation, the scope is used to identify organisations, and it is also used to differentiate organisational units (or sub-organisations) when necessary. In the OpenAthens federation this is done by adding an additional identifier in front of the domain scope - e.g:
Organisational units will not need to be differentiated
Organisational units will need to be differentiated
(an identifier is included for the domain organisation)
An organisational unit within the consortia needs to be uniquely identified - e.g. an NHS Trust, or a multinational corporations' national office
(uses a scope with a different identifier)
An organisational unit within the consortia does not need to be uniquely identified - e.g. a GP surgery within an NHS Trust, or a branch office.
(uses the same scope as its parent organisation)
The identifier used is their OpenAthens organisation number and you can see a good example of this via the NHS England organisation list: http://login.openathens.net/org-list
How this applies to authorisation
Where a customer is a consortia domain and if they are purchasing on behalf of the whole domain, they would supply their scope as
*.customer.com. Individual organisational units would supply their discrete scope if they were purchasing different content.
If you sell or plan to sell to this kind of consortia, your authorisation process will need to be flexible enough to match on a wildcarded scope as well as discrete scopes.
- The NHS England wildcarded scope would be
- NHS England trust specific scopes would look like
1345345.eng.nhs.uk, 9853784.eng.nhs.uk, 1047384.eng.nhs.uk... etc.
How this benefits you and your users
Because the targeted IDs used in federated access management are generated based on entity IDs, this means that where a user moves around their consortia domain, the identifier you see for them stays the same so can be used for personalisation, but the scope that is passed for them can change which means they see the content appropriate to whichever part of the consortia they currently belong to.
Using NHS England as an example again, this might be when a doctor finishes their rotation and moves to another hospital or practice.