Group Management System for Federated Identities with Flow Control of Membership Information by Subjects

Federated identities are rapidly spreading, especially in the academic world. Some services in identity federations need ID groups to provide the collaborative work and/or access control based on contracts with groups. Some existing group management systems in identity federations can provide services with group membership information, but they lack support for contracts and flow control of the membership information. It is important that the group administrators can control the group membership information to avoid unintentional information disclosure. We propose the concept of Member Attribute Provider (mAP) with membership information control by group administrators and service administrators, which provides membership information of groups to services within an identity federation. We have made an implementation in Japanese academic access management federation called GakuNin, and make sure that it works properly with several production-level services.