Skip to content
Permalink
6cbd8efdeb
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

iam-knowledge-bits/identifier-guidance.adoc

Go to file
 
 
Cannot retrieve contributors at this time
Draft Identifier Guidance I. Unique, persistent, non-reassignable identifiers II. Other identifiers III. Identifier Crosswalk Requirement
38 lines (24 sloc) 3.15 KB
Raw Blame

Draft Identifier Guidance

I. Unique, persistent, non-reassignable identifiers

In this document, terminology on identifiers follows section 1.2 of eduPerson 2020-01, https://wiki.refeds.org/display/STAN/eduPerson+2020-01#eduPerson202001-IdentifierConcepts.

IAM’s own internal id: generated by IAM system, for internal IAM system use only. Every person known to the IAM system gets one. Example id name: iid, example id structure: UUID. Not name based.

public IAM id: generated by IAM system, can be asserted to other systems. Every person known to the IAM system gets one. Example id name: subject-id. It is strongly recommended that adopters follow section 3.3.1 of SAML V2.0 Subject Identifier Attributes Profile Version 1.0, https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html, and be structured as 'uniqueId' + '@' + 'scope' where uniqueId is 1-127 alphanumeric characters (A-Z,0-9), or "-", or "=". The first character must be alphanumeric. Matches must be case sensitive though lower-case values are recommended. A uniqueId may be name-based or not at the choice of the deployer. Be aware that some applications will display the public IAM id in their UI.

From SAML Attribute Profile, 3.3.1, "It is RECOMMENDED that the unique ID be exclusively upper- or lower-case when expressed or stored to facilitate ease of comparison. Scope is separated from uniqueId by an "@" character, "It is RECOMMENDED that scopes be expressed in lower case, since they are…​frequently, though not required to be, in the form of DNS domains"

II. Other identifiers

pairwise-id An identifier that offers some protection against service provider to service provider identity correlation. pairwise-id is defined in section 3.4 of SAML V2.0 Subject Identifier Attributes Profile Version 1.0. It is defined to be "a unique external key specific to a particular relying party". Its syntax is identical to that of the subject-id described above, but not name-based.

IdP login id: Identifier entered by a person when prompted to log in with their chosen Identity provider. Example id names: username, netId; Consider adopting the subject-id syntax rules above to prevent commonly-occurring issues with other id forms.

Source-assigned identifiers Often assigned by a resource provider (local or federated). ID structure: the digital representation must carry both a registered source system identifier (e.g. HR, SIS) and a unique identifier within that system.

III. Identifier Crosswalk Requirement

The IAM system should support on-request mapping of any identifier it carries to any other identifier it knows for the same person.

2021-04-07 11:45 recent posts on identifiers

Jon Miner: Certainly not exhaustive, but I have a doc on identifiers here at Madison and how to choose among them: https://kb.wisc.edu/iam/95753, Choosing Identifiers for Your Application. Higher Education Knowledge Base content management, sharing and collaboration platform.

Albert Wu: Did I hear identifiers? Understanding Federated User Identifiers. https://spaces.at.internet2.edu/display/federation/understanding-federated-user-identifiers