-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
38 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| === Draft Identifier Guidance | ||
|
|
||
| ==== I. Unique, persistent, non-reassignable identifiers | ||
|
|
||
| In this document, terminology on identifiers follows section 1.2 of _eduPerson 2020-01_, https://wiki.refeds.org/display/STAN/eduPerson+2020-01#eduPerson202001-IdentifierConcepts. | ||
|
|
||
| *IAM's own internal id*: generated by IAM system, for internal IAM system use only. Every person known to the IAM system gets one. | ||
| Example id name: iid, example id structure: UUID. Not name based, | ||
|
|
||
| *public IAM id*: generated by IAM system, can be asserted to other systems. Every person known to the IAM system gets one. | ||
| Example id name: subject-id. It is strongly recommended that adopters follow section 3.3.1 of _SAML V2.0 Subject Identifier Attributes Profile Version 1.0_, https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html, and be structured as 'uniqueId' + '@' + 'scope' where uniqueId is 1-127 alphanumeric characters (A-Z,0-9), or "-", or "=". The first character must be alphanumeric. Matches must be _case insensitive_. UniqueId may be name-based or not at the choice of the deployer. Be aware that some applications will display the public IAM id in their UI. | ||
|
|
||
| From SAML Attribute Profile, 3.3.1, "It is RECOMMENDED that the _unique ID be exclusively upper- or lower-case_ when expressed or stored to facilitate ease of comparison. Scope is separated from uniqueId by an "@" character, "It is RECOMMENDED that scopes be expressed in _lower case_, since they are...frequently, though not required to be, in the form of DNS domains" | ||
|
|
||
| ==== II. Other identifiers | ||
|
|
||
| *pairwise-id* An identifier that offers some protection against service provider to service provider identity correlation. *pairwise-id* is defined in section 3.4 of _SAML V2.0 Subject Identifier Attributes Profile Version 1.0_. It is defined to be "a unique external key specific to a particular relying party". Its syntax is identical to that of the *subject-id* described above. | ||
|
|
||
| *IdP login id*: Identifier entered by a person when prompted to log in with their chosen Identity provider. | ||
| Example id names: username, netId; Consider adopting the subject-id syntax rules above to prevent commonly-occurring issues with other id forms. | ||
|
|
||
| *Source-assigned identifiers* Often assigned by a resource provider (local or federated). ID structure: the digital representation must carry both a registered source system identifier (e.g. HR, SIS) and a unique identifier within that system. | ||
|
|
||
| ==== III. Identifier Crosswalk Requirement | ||
|
|
||
| The IAM system should support on-request mapping of any identifier it carries to a different identifier it knows for the same person. | ||
|
|
||
| - - - | ||
| _2021-04-07 11:45 recent posts on identifiers_ | ||
|
|
||
| Jon Miner: | ||
| Certainly not exhaustive, but I have a doc on identifiers here at Madison and how to choose among them: | ||
| https://kb.wisc.edu/iam/95753, *Choosing Identifiers for Your Application*. | ||
| Higher Education Knowledge Base content management, sharing and collaboration platform. | ||
|
|
||
| Albert Wu: | ||
| Did I hear identifiers? *Understanding Federated User Identifiers*. | ||
| https://spaces.at.internet2.edu/display/federation/understanding-federated-user-identifiers |