From 89c2db2b4ea8886a4e6e4289872272b4cad91526 Mon Sep 17 00:00:00 2001 From: Keith Hazelton Date: Wed, 31 Mar 2021 13:56:49 -0500 Subject: [PATCH] Create person-identifiers.adoc --- person-identifiers.adoc | 49 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 person-identifiers.adoc diff --git a/person-identifiers.adoc b/person-identifiers.adoc new file mode 100644 index 0000000..eee68db --- /dev/null +++ b/person-identifiers.adoc @@ -0,0 +1,49 @@ +personIdentifiers.adoc + +- - - +_2021-03-31 12:44 SIWG meeting on person identifiers_ + +Person identifier handling in +COm, Grpr, mP, LDAP, AD + +identifier characteristics: Definitive statement for HE and Research: https://wiki.shibboleth.net/confluence/display/CONCEPT/NameIdentifiers + +. unique across the IdPs population Y/N +- globally unique by inclusion of a scope element or domain identifier +. name-based or otherwise recognizable? Y/N +. opaque (not name-based or otherwise recognizable) Y/N +- permanent (changes are rare or non-existent) +- re-assignable (once assigned, a given identifier value will never be reused and assigned to another person) +- pairwise (formerly called targeted): A person has a different identifier for each service or resource provider with which they interact + + +. What is the primary, wholly internal person identifier in your package? +. What identifier(s) do you expose to other packages? +- Do you maintain a crosswalk between each external system identifier and your internal identifier? +. How do you handle changes to name-based identifiers +- + +- - - + +Hypothetical Precondition: + +A person was just now added to a System of Record, +midPoint has not yet processed this, so has no record of their existence + +Process A: A Grouper admin wants to manage groups for the new person +. Grouper admin types something they know about the person (a name or email or other identifier) into Grouper +.. Case 1: Subject lookup--not found. What happens then? +.. Case 2: Person is found in subject source. What identifier is used when adding them as a member to a group? +... What manages getting subjects into the subject source +... How does midPoint associate this group member with a know user? + +"Solutions and tradeoffs" + +. Have Grouper subject source be provisioned by midPoint; +.. Consequences: Grouper subject search will fail until new person appears in subject source + +. Have ID Match always return an identifier for the queried person +.. works for cases where ID Match can definitively match a known identity or definitively be recognized as new, and return the identifier in either case +.. If the result is multiple candidate matches that require human resolution, Id Match does not immediately return an identifier +.. Fix: Have ID Match assign a new identifier to the person in question and return immediately while starting the identity resolution workflow +... Consequence: If a match with an existing user is eventually found, an identifier correction needs to take place