Update person-identifiers.adoc

khazelton · Apr 9, 2021 · 71bdfc7 · 71bdfc7
1 parent 3ebb9d2
commit 71bdfc7
Showing 1 changed file with 13 additions and 18 deletions.
diff --git a/person-identifiers.adoc b/person-identifiers.adoc
@@ -22,28 +22,24 @@ https://wiki.shibboleth.net/confluence/display/CONCEPT/NameIdentifiers
 
 ==== Unique across the IdPs population Y/N?
 
-  In COmanage, external identifier are tuples: {Identifier for the external source, PersonID assigned by that source}
-  enter ePPN, or link in email for new ppl being added
-  id to label person in system, but also identifiers for looking them up: email, name,....LoginID
-  id and identifier (anything that can uniquely identify a person
-  Grouper external users is where the ePPN for a new member
-
-COmanage: In general, a multi-values list of identifiers paired with a source identifier; there is a non-shared internal ID
-  Grouper: 
-
-  Refereence ID: two match modes: Match up front; config. COmanage to match based on RefID. registry gets a ref id, and stores it 
-
-  Match API backend is just a database that understands ref id and sourceID
-
-  provision to LDAP, point Grouper subject source at LDAP;
-
+- *COmanage*, external identifier are tuples: {Identifier for the external source, PersonID assigned by that source}
+- Enter ePPN, or link in email for new ppl being added
+- COmanage: In general, a multi-values list of identifiers paired with a source identifier; there is a non-shared internal ID
+- Refereence ID: two match modes: Match up front; config. COmanage to match based on RefID. registry gets a ref id, and stores it 
+- Match API backend is just a database that understands ref id and sourceID, rovision to LDAP, point Grouper subject source at LDAP;
+
+
+- *Grouper* defines "id" as person identifier and "identifier" as potentially anything that can uniquely identify a person
+- Person identifiers indicate a single person in a system, but any attribute unique to the person can serve as an identifier for search queries: E.g., email, name, LoginID,...
+- Grouper external users: ePPN serves as the identifier in the subject source 
 
-midPoint: OID is permanent, not shared name is a name-based identifier (other could be added), can change if needed, could be a campus id that users tend to know
+*midPoint:* OID is permanent, not shared name is a name-based identifier (other could be added), can change if needed, could be a campus id that users tend to know
 - globally unique by inclusion of a scope element or domain identifier
 - mP can generate any other unique id and share with external systems
 
+
 ==== name-based or otherwise recognizable? Y/N
-Internal ida are not name-based
+Generally, internal ida are not name-based
 
 ==== opaque (not name-based or otherwise recognizable) Y/N
 
@@ -77,7 +73,6 @@ connectors can work w opaque: UID (used to link to the midPoint user, and anothe
 
 If UID link breaks, correlation can relink.
 
-
 === Issue: Timing of unique identifier assignment in IAM system
 
 A person was just now added to a System of Record,