From c212b2b07bd316957f404bf122a4d819e01441f6 Mon Sep 17 00:00:00 2001 From: Keith Hazelton Date: Tue, 13 Apr 2021 08:52:51 -0500 Subject: [PATCH] Update identifier-guidance.adoc --- identifier-guidance.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/identifier-guidance.adoc b/identifier-guidance.adoc index 73a104c..d33c6e7 100644 --- a/identifier-guidance.adoc +++ b/identifier-guidance.adoc @@ -8,7 +8,7 @@ In this document, terminology on identifiers follows section 1.2 of _eduPerson 2 Example id name: iid, example id structure: UUID. Not name based, *public IAM id*: generated by IAM system, can be asserted to other systems. Every person known to the IAM system gets one. - Example id name: subject-id. It is strongly recommended that adopters follow section 3.3.1 of _SAML V2.0 Subject Identifier Attributes Profile Version 1.0_, https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html, and be structured as 'uniqueId' + '@' + 'scope' where uniqueId is 1-127 alphanumeric characters (A-Z,0-9), or "-", or "=". The first character must be alphanumeric. Matches must be _case insensitive_. UniqueId may be name-based or not at the choice of the deployer. Be aware that some applications will display the public IAM id in their UI. + Example id name: subject-id. It is strongly recommended that adopters follow section 3.3.1 of _SAML V2.0 Subject Identifier Attributes Profile Version 1.0_, https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html, and be structured as 'uniqueId' + '@' + 'scope' where uniqueId is 1-127 alphanumeric characters (A-Z,0-9), or "-", or "=". The first character must be alphanumeric. Matches must be _case insensitive_. A uniqueId may be name-based or not at the choice of the deployer. Be aware that some applications will display the public IAM id in their UI. From SAML Attribute Profile, 3.3.1, "It is RECOMMENDED that the _unique ID be exclusively upper- or lower-case_ when expressed or stored to facilitate ease of comparison. Scope is separated from uniqueId by an "@" character, "It is RECOMMENDED that scopes be expressed in _lower case_, since they are...frequently, though not required to be, in the form of DNS domains" @@ -23,7 +23,7 @@ From SAML Attribute Profile, 3.3.1, "It is RECOMMENDED that the _unique ID be ex ==== III. Identifier Crosswalk Requirement -The IAM system should support on-request mapping of any identifier it carries to a different identifier it knows for the same person. +The IAM system should support on-request mapping of any identifier it carries to any other identifier it knows for the same person. - - - _2021-04-07 11:45 recent posts on identifiers_