From 42785d03f7767cac1b935ff95bf91ebcc620112b Mon Sep 17 00:00:00 2001 From: Keith Hazelton Date: Fri, 9 Apr 2021 07:13:18 -0500 Subject: [PATCH] Update person-identifiers.adoc --- person-identifiers.adoc | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/person-identifiers.adoc b/person-identifiers.adoc index a452d49..de9298a 100644 --- a/person-identifiers.adoc +++ b/person-identifiers.adoc @@ -22,14 +22,13 @@ https://wiki.shibboleth.net/confluence/display/CONCEPT/NameIdentifiers ==== Unique across the IdPs population Y/N? -Google does have its own internal-only identifier identifier is a tuple, sourceID + personID from that source enter ePPN, or link in email for new ppl being added id to label person in system, but also identifiers for looking them up: email, name,....LoginID id and identifier (anything that can uniquely identify a person Grouper external users is where the ePPN for a new member -COm: In general, a multi-values list of identifiers paired with a source identifier; there is a non-shared internal ID +COmanage: In general, a multi-values list of identifiers paired with a source identifier; there is a non-shared internal ID Grouper: Refereence ID: two match modes: Match up front; config. COmanage to match based on RefID. registry gets a ref id, and stores it @@ -39,21 +38,25 @@ COm: In general, a multi-values list of identifiers paired with a source identif provision to LDAP, point Grouper subject source at LDAP; -mp: OID is permanent, not shared name is a name-based identifier (other could be added), can change if needed, could be a campus id that users tend to know +midPoint: OID is permanent, not shared name is a name-based identifier (other could be added), can change if needed, could be a campus id that users tend to know - globally unique by inclusion of a scope element or domain identifier - mP can generate any other unique id and share with external systems ==== name-based or otherwise recognizable? Y/N -internal id: No +Internal ida are not name-based + ==== opaque (not name-based or otherwise recognizable) Y/N -==== permanent (changes are rare or non-existent) -can be merged if necessary. +==== permanent -==== Non re-assignable (once assigned, a given identifier value will never be reused and assigned to another person) +Minimally: identifier is expected to represent the same person over time. +Changes are rare but some situations in which identifier merges are necessary. +==== Non re-assignable (once assigned +A given identifier value will never be reused and assigned to another person) -==== Pairwise (formerly called targeted): A person has a different identifier for each service or resource provider with which they interact +==== Pairwise (formerly called targeted): +A person has a different identifier for each service or resource provider with which they interact === What is the primary, wholly internal person identifier in your package? @@ -75,7 +78,6 @@ connectors can work w opaque: UID (used to link to the midPoint user, and anothe If UID link breaks, correlation can relink. - === Issue: Timing of unique identifier assignment in IAM system A person was just now added to a System of Record,