Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

person-identifiers/person-identifiers.adoc

Go to file
 
 
Cannot retrieve contributors at this time
Person Identifiers: Issues and Observations Definitive Statement of Identifier Characteristics for HE and Research Unique across the IdPs population (Y/N) Name-based or otherwise recognizable? (Y/N) Opaque (not name-based or otherwise recognizable) (Y/N) Permanent (Y/N) Non re-assignable (Y/N) Pairwise (formerly called targeted id) (Y/N) Discussion What is the primary, wholly internal person identifier in your package? What identifier(s) do you expose to other packages? Internal ID plus tuple source/identifier How do you handle changes to name-based identifiers Issue: Timing of unique identifier assignment in IAM system
101 lines (67 sloc) 4.83 KB
Raw Blame
Open in GitHub Desktop

Person Identifiers: Issues and Observations

Person identifier handling in COmanage, Grouper, midPoint, LDAP, and AD

Definitive Statement of Identifier Characteristics for HE and Research

Unique across the IdPs population (Y/N)

  • COmanage, external identifier are tuples: {Identifier for the external source, PersonID assigned by that source} Enter ePPN, or link in email for new ppl being added
    COmanage: In general, a multi-values list of identifiers paired with a source identifier; there is a non-shared internal ID
    Refereence ID: two match modes: Match up front; config. COmanage to match based on RefID. registry gets a ref id, and stores it
    Match API backend is just a database that understands ref id and sourceID, rovision to LDAP, point Grouper subject source at LDAP

  • Grouper defines "id" as person identifier and "identifier" as potentially anything that can uniquely identify a person Person identifiers indicate a single person in a system, but any attribute unique to the person can serve as an identifier for search queries: E.g., email, name, LoginID,…​
    Grouper external users: ePPN serves as the identifier in the subject source

  • midPoint: OID is the internal identifier in midPoint - syntax is like a uuid. OID is permanent, not shared; NAME is a name-based identifier (other could be added), can change if needed, could be a campus id that users tend to know
    globally unique by inclusion of a scope element or domain identifier
    mP can generate any other unique id and share with external systems

Name-based or otherwise recognizable? (Y/N)

Generally, internal ida are not name-based

Opaque (not name-based or otherwise recognizable) (Y/N)

Permanent (Y/N)

Minimally: identifier is expected to represent the same person over time. Changes are rare but some situations in which identifier merges are necessary.

Non re-assignable (Y/N)

Once assigned a given identifier value will never be reused and assigned to another person)

Pairwise (formerly called targeted id) (Y/N)

A person has a different identifier for each service or resource provider with which they interact

Discussion

What is the primary, wholly internal person identifier in your package?

COmanage: identifier modules to generate identifiers with the desired characteristics;

KeithL: If you make a REST call: here’s user, get the OID, use that in the actual REST call

What identifier(s) do you expose to other packages? Internal ID plus tuple source/identifier

generate anything you want, configurable; DO NOT USE OID; mP API is a case where you could use OID,

Do you maintain a crosswalk between each external system identifier and your internal identifier? correlation rule: connector says how the id in system maps to id in mP; midPoint maintains link over subsequent change

How do you handle changes to name-based identifiers

- connectors can work w opaque: UID (used to link to the midPoint user, and another identifier, perhaps name based; mP can update the name identifier

If UID link breaks, correlation can relink.

Issue: Timing of unique identifier assignment in IAM system

A person was just now added to a System of Record, midPoint has not yet processed this, so has no record of their existence

Process A: A Grouper admin wants to manage groups for the new person . Grouper admin types something they know about the person (a name or email or other identifier) into Grouper .. Case 1: Subject lookup—​not found. What happens then? .. Case 2: Person is found in subject source. What identifier is used when adding them as a member to a group? …​ What manages getting subjects into the subject source …​ How does midPoint associate this group member with a know user?

"Solutions and tradeoffs"

  1. Have Grouper subject source be provisioned by midPoint;

    1. Consequences: Grouper subject search will fail until new person appears in subject source

  2. Have ID Match always return an identifier for the queried person

    1. works for cases where ID Match can definitively match a known identity or definitively be recognized as new, and return the identifier in either case

    2. If the result is multiple candidate matches that require human resolution, Id Match does not immediately return an identifier

    3. Fix: Have ID Match assign a new identifier to the person in question and return immediately while starting the identity resolution workflow

      1. Consequence: If a match with an existing user is eventually found, an identifier correction needs to take place