SURFconext offers Service Providers an REST endpoint to query groups. The platform supports multiple sources for these Groups:
- SURFteams
- External Group Providers (e.g. groups from institutions)
The group memberships of a Person can be used to offer the logged-in user more context in a Service (e.g. in Google show the groups of the user as Google groups, show spaces based on the group memberships in the Confluence wiki or tabs in the Rave portal). Besides offering the logged-in user more context the groups can also be used as a source of authorization:
Either the membership of a certain group is mandatory in order to log in to the Service Provider (this is enforced by SURFconext) or the Service Provider uses the group memberships to limit the resources shown to the user (the SURFconext Confluence wiki is an example of this use case).
We strongly encourage institutions to follow the VOOT protocol when implementing their external group endpoint. The VOOT protocol is an extension of the OpenSocial protocol. The documentation of both the protocols is respectively in draft and extensive. For this reason we provide an overview of the relevant parts of the protocol on this page.
The external group provider endpoint provided by the institutions (in the remainder of this page referred to as 'endpoint') supports two methods:
Get all groups (memberships) for a certain Person
Get all members for a certain Group
The
Authentication: 3-legged OAuth with an OAuth provider connected to SURFConext (in order to have the SSO experience when an user has to authenticate)
Pagination: