Skip to content

Commit

Permalink
Update person-identifiers.adoc
Browse files Browse the repository at this point in the history
  • Loading branch information
@khazelton
khazelton authored Apr 9, 2021
1 parent 08f45da commit 42785d0
Showing 1 changed file with 11 additions and 9 deletions.
20 changes: 11 additions & 9 deletions person-identifiers.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,14 +22,13 @@ https://wiki.shibboleth.net/confluence/display/CONCEPT/NameIdentifiers

==== Unique across the IdPs population Y/N?

Google does have its own internal-only identifier
identifier is a tuple, sourceID + personID from that source
enter ePPN, or link in email for new ppl being added
id to label person in system, but also identifiers for looking them up: email, name,....LoginID
id and identifier (anything that can uniquely identify a person
Grouper external users is where the ePPN for a new member

COm: In general, a multi-values list of identifiers paired with a source identifier; there is a non-shared internal ID
COmanage: In general, a multi-values list of identifiers paired with a source identifier; there is a non-shared internal ID
Grouper:

Refereence ID: two match modes: Match up front; config. COmanage to match based on RefID. registry gets a ref id, and stores it
Expand All @@ -39,21 +38,25 @@ COm: In general, a multi-values list of identifiers paired with a source identif
provision to LDAP, point Grouper subject source at LDAP;


mp: OID is permanent, not shared name is a name-based identifier (other could be added), can change if needed, could be a campus id that users tend to know
midPoint: OID is permanent, not shared name is a name-based identifier (other could be added), can change if needed, could be a campus id that users tend to know
- globally unique by inclusion of a scope element or domain identifier
- mP can generate any other unique id and share with external systems

==== name-based or otherwise recognizable? Y/N
internal id: No
Internal ida are not name-based

==== opaque (not name-based or otherwise recognizable) Y/N

==== permanent (changes are rare or non-existent)
can be merged if necessary.
==== permanent

==== Non re-assignable (once assigned, a given identifier value will never be reused and assigned to another person)
Minimally: identifier is expected to represent the same person over time.
Changes are rare but some situations in which identifier merges are necessary.

==== Non re-assignable (once assigned
A given identifier value will never be reused and assigned to another person)

==== Pairwise (formerly called targeted): A person has a different identifier for each service or resource provider with which they interact
==== Pairwise (formerly called targeted):
A person has a different identifier for each service or resource provider with which they interact


=== What is the primary, wholly internal person identifier in your package?
Expand All @@ -75,7 +78,6 @@ connectors can work w opaque: UID (used to link to the midPoint user, and anothe
If UID link breaks, correlation can relink.



=== Issue: Timing of unique identifier assignment in IAM system

A person was just now added to a System of Record,
Expand Down

0 comments on commit 42785d0

Please sign in to comment.