-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
49 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| personIdentifiers.adoc | ||
|
|
||
| - - - | ||
| _2021-03-31 12:44 SIWG meeting on person identifiers_ | ||
|
|
||
| Person identifier handling in | ||
| COm, Grpr, mP, LDAP, AD | ||
|
|
||
| identifier characteristics: Definitive statement for HE and Research: https://wiki.shibboleth.net/confluence/display/CONCEPT/NameIdentifiers | ||
|
|
||
| . unique across the IdPs population Y/N | ||
| - globally unique by inclusion of a scope element or domain identifier | ||
| . name-based or otherwise recognizable? Y/N | ||
| . opaque (not name-based or otherwise recognizable) Y/N | ||
| - permanent (changes are rare or non-existent) | ||
| - re-assignable (once assigned, a given identifier value will never be reused and assigned to another person) | ||
| - pairwise (formerly called targeted): A person has a different identifier for each service or resource provider with which they interact | ||
|
|
||
|
|
||
| . What is the primary, wholly internal person identifier in your package? | ||
| . What identifier(s) do you expose to other packages? | ||
| - Do you maintain a crosswalk between each external system identifier and your internal identifier? | ||
| . How do you handle changes to name-based identifiers | ||
| - | ||
|
|
||
| - - - | ||
|
|
||
| Hypothetical Precondition: | ||
|
|
||
| A person was just now added to a System of Record, | ||
| midPoint has not yet processed this, so has no record of their existence | ||
|
|
||
| Process A: A Grouper admin wants to manage groups for the new person | ||
| . Grouper admin types something they know about the person (a name or email or other identifier) into Grouper | ||
| .. Case 1: Subject lookup--not found. What happens then? | ||
| .. Case 2: Person is found in subject source. What identifier is used when adding them as a member to a group? | ||
| ... What manages getting subjects into the subject source | ||
| ... How does midPoint associate this group member with a know user? | ||
|
|
||
| "Solutions and tradeoffs" | ||
|
|
||
| . Have Grouper subject source be provisioned by midPoint; | ||
| .. Consequences: Grouper subject search will fail until new person appears in subject source | ||
|
|
||
| . Have ID Match always return an identifier for the queried person | ||
| .. works for cases where ID Match can definitively match a known identity or definitively be recognized as new, and return the identifier in either case | ||
| .. If the result is multiple candidate matches that require human resolution, Id Match does not immediately return an identifier | ||
| .. Fix: Have ID Match assign a new identifier to the person in question and return immediately while starting the identity resolution workflow | ||
| ... Consequence: If a match with an existing user is eventually found, an identifier correction needs to take place |