News and Events

“How to deploy a unified communications network” and MAGIC offers free online trainings on these services “How to deploy a unified communications network” and MAGIC offers free online trainings on these services Friday, 02 June 2017 Both courses are part of the work carried out in the MAGIC project during the last...
Global Science Communities: an example of MAGIC success Global Science Communities: an example of MAGIC success Wednesday, 31 May 2017 The MAGIC project just completed two years working to achieve its main objective...

Responsible partner: RENATER

Sympa is not only the more complete opensource mailing-list manager. Sympa wears in its genes group management since 18 years, with a userfriendly web interface. In Sympa, the groups can be provisionned by multiple protocols : VOOT, LDAP, SQL, flat files, SMTP, SOAP and other Sympas. In Sympa the groups membership can be requested by various protocols : VOOT, SAML2, SQL. Sympa proposes 4 different roles. Sympa accepts various authentication method : Federation (SAML2), LDAP, X509. Sympa is scalable for big VOs (with more than 1.000.000 members).

At RENATER (the service is called Universalistes) Sympa has been linked with their tools so that each VO hosted at RENATER can benefit, in one click, from mailing list, Wiki (with public and private pages), Foodl, LimeSurvey, Filesender, among others. They have copled Sympa with an Attribute Authority in order to permit Sympa group authorizations on any external Services Providers using SAML protocol. The RENATER's Sympa infrastructure is used by more than 1600 VOs with up to 300000 members, but there are biggest deployments in the world.

License: Free Software distributed under GNU General Public License, version 2
Current deployments: All over the world, here are some of the well known organizations that use Sympa
Modes of deployment: As a Service in Universalistes or as a Software
Sustainability model: maintained by RENATER and the OpenSource community

Responsible partner: CESNET

PERUN is an identity and access management system. It covers management of the whole user life cycle, including user registration, expiration or suspension of the user. It is a tool, whose key features are virtual organisation management, user management, group management, resource management and service management. The system can be customized for various use cases. PERUN has been designed to work in distributed environments like identity federations and grids.

PERUN does not manage primary user identities; users have to come with some existing identity like federated identity, social identity or digital certificate. Users can link those identities, so they will be recognized properly even if they use different identities. Users does not need to create any additional credentials, because PERUN can publish linked identities to the end services.

Because user communities usually already have some local user/group management system which cannot by simply connected to the federated services, PERUN supports import/export of existing users/groups. Currently, there is support for communication with external sources using VOOT, SAML2, LDAP, VOMS, SQL (MySQL, Oracle, SQLite) or import data from XML and CSV files. Synchronization can work in both ways.

Basic component for group management is virtual organisation (VO), this concept has been adapted from computational grid environments. Every VO can have several groups and each group can be nested like a tree, so it can have its own subgroup, where the access rights are inherited in the same way. Users be in several VOs as well in any number of groups. Each VO and each group has its own VO/group managers. VO can have not only groups but also resources which represent services to which VO members can have an access. Actually, access management in PERUN is done on group level. Every group can have an access to VO’s resources. The responsibility for the group management can be delegated from VO manager to the group manager. The group manager can be specific user from the VO or other exiting group in VO. Those group administrators obtain permissions to handle the access to resource/service via group membership, so the VO manager is not the only responsible person and does not have to handle all permission/membership issues in the VO.

PERUN is specific for its push mechanism which is used for delivering data about users and groups (authorization data) to the end services. Access management for federated services is supported by attribute authority (managed by PERUN), but the services which need to know about the user in advance (e.g. videoconferencing systems, reservation systems, computational resources) cannot use attributes about the users from identity federation, because they come when the user logs in. PERUN is able to push the information about users/groups to those services via various communication channels.

PERUN provides its functions and components via various APIs. The basic API is REST-like API, using JSON as a data container. In case some external system wants to use PERUN’s functions and components and does not want to use RESTlike API, there is possibility to connect via Java library, JavaScript library, PERL library or PHP library. PERUN pushes also information to the LDAP which is then used by Attribute Authority or Identity Provider, so information stored in PERUN can be used in identity federation world.

PERUN has several production deployments where manages tens of thousands users, hundreds of virtual organizations and manages access to nearly 2000 services.

License: FreeBSD License
Current deployments: Czech eInfrastructure, EGI, ELIXIR, SAGRID, Masaryk University
Modes of deployment: as a service or as a VM
Sustainability model: Maintained by CESNET and Masaryk University

Virtual Organisation Orthogonal Technology (VOOT) standard extends SCIM to exchange information about groups and its members in federated environment. Old version 1.0, which is currently used in some products (Perun, OpenConext, Grouper, COmanage), is not compatible with the new one. Version 1.08 defines a protocol for read-only access to information about users’ group membership within an organisation or aggregated across organisations and their role in these groups. VOOT 1.0 provides REST API, which supports 2 calls: retrieve a list of groups the user is member of and retrieve the list of people that are members of a group the user is also member of. Only JSON data format is supported.

Current version 2.0 defines a protocol and a data model. Protocol provides information about groups and roles. All requests towards VOOT provider have to be authenticated with an OAuth2.0 Bearer Token. Information about authorization can be found here Protocol can work very well also with OpenID Connect. Data model extends SCIM model with membership object and group types object, so it has four entities: user, membership, group and group type. Group type can be chosen according to the situation, there is no detailed specification in core itself about group types, so it is up to communities to standardize it. Thanks to these 2 additional entities, comparing to SCIM, it is possible to build more flexible environment using VOOT 2.0 data model. For example, when user wants to belong to one group and have 2 different roles in this group, it is possible now with the membership entity, which is a big advantage.

MAGIC Partners


Contact us

If you need some other information about MAGIC, please write us to

Connect with us

We're on Social Networks. Follow us & get in touch.


This project is co-funded by the Horizon 2020 Framework Programme of the European Union

EC emblem