Person Identifiers: Issues and Observations
Person identifier handling in COmanage, Grouper, midPoint, LDAP, and AD
Revision: 01, (2021-04-09)
Self-link: https://github.internet2.edu/khazelton/person-identifiers/blob/main/person-identifiers.adoc
Editor: Keith Hazelton, hazelton@internet2.edu
Definitive Statement of Identifier Characteristics for HE and Research
Unique across the IdPs population (Y/N)
-
COmanage, external identifier are tuples: {Identifier for the external source, PersonID assigned by that source} Enter ePPN, or link in email for new ppl being added
COmanage: In general, a multi-values list of identifiers paired with a source identifier; there is a non-shared internal ID
Refereence ID: two match modes: Match up front; config. COmanage to match based on RefID. registry gets a ref id, and stores it
Match API backend is just a database that understands ref id and sourceID, rovision to LDAP, point Grouper subject source at LDAP -
Grouper defines "id" as person identifier and "identifier" as potentially anything that can uniquely identify a person Person identifiers indicate a single person in a system, but any attribute unique to the person can serve as an identifier for search queries: E.g., email, name, LoginID,…
Grouper external users: ePPN serves as the identifier in the subject source -
midPoint: OID is the internal identifier in midPoint - syntax is like a uuid. OID is permanent, not shared; NAME is a name-based identifier (other could be added), can change if needed, could be a campus id that users tend to know
globally unique by inclusion of a scope element or domain identifier
mP can generate any other unique id and share with external systems
Name-based or otherwise recognizable? (Y/N)
Generally, internal ida are not name-based
Opaque (not name-based or otherwise recognizable) (Y/N)
Permanent (Y/N)
Minimally: identifier is expected to represent the same person over time. Changes are rare but some situations in which identifier merges are necessary.
Non re-assignable (Y/N)
Once assigned a given identifier value will never be reused and assigned to another person)
Pairwise (formerly called targeted id) (Y/N)
A person has a different identifier for each service or resource provider with which they interact
Discussion
What is the primary, wholly internal person identifier in your package?
COmanage: identifier modules to generate identifiers with the desired characteristics;
KeithL: If you make a REST call: here’s user, get the OID, use that in the actual REST call
What identifier(s) do you expose to other packages? Internal ID plus tuple source/identifier
generate anything you want, configurable; DO NOT USE OID; mP API is a case where you could use OID,
Do you maintain a crosswalk between each external system identifier and your internal identifier? correlation rule: connector says how the id in system maps to id in mP; midPoint maintains link over subsequent change
How do you handle changes to name-based identifiers
- connectors can work w opaque: UID (used to link to the midPoint user, and another identifier, perhaps name based; mP can update the name identifier
If UID link breaks, correlation can relink.
Issue: Timing of unique identifier assignment in IAM system
A person was just now added to a System of Record, midPoint has not yet processed this, so has no record of their existence
Process A: A Grouper admin wants to manage groups for the new person . Grouper admin types something they know about the person (a name or email or other identifier) into Grouper .. Case 1: Subject lookup—not found. What happens then? .. Case 2: Person is found in subject source. What identifier is used when adding them as a member to a group? … What manages getting subjects into the subject source … How does midPoint associate this group member with a know user?
"Solutions and tradeoffs"
-
Have Grouper subject source be provisioned by midPoint;
-
Consequences: Grouper subject search will fail until new person appears in subject source
-
-
Have ID Match always return an identifier for the queried person
-
works for cases where ID Match can definitively match a known identity or definitively be recognized as new, and return the identifier in either case
-
If the result is multiple candidate matches that require human resolution, Id Match does not immediately return an identifier
-
Fix: Have ID Match assign a new identifier to the person in question and return immediately while starting the identity resolution workflow
-
Consequence: If a match with an existing user is eventually found, an identifier correction needs to take place
-
-