From 71bdfc79dac2aa4e986db2e28c551768ed54bd0f Mon Sep 17 00:00:00 2001 From: Keith Hazelton Date: Fri, 9 Apr 2021 07:29:32 -0500 Subject: [PATCH] Update person-identifiers.adoc --- person-identifiers.adoc | 31 +++++++++++++------------------ 1 file changed, 13 insertions(+), 18 deletions(-) diff --git a/person-identifiers.adoc b/person-identifiers.adoc index ed441b1..e20fc28 100644 --- a/person-identifiers.adoc +++ b/person-identifiers.adoc @@ -22,28 +22,24 @@ https://wiki.shibboleth.net/confluence/display/CONCEPT/NameIdentifiers ==== Unique across the IdPs population Y/N? - In COmanage, external identifier are tuples: {Identifier for the external source, PersonID assigned by that source} - enter ePPN, or link in email for new ppl being added - id to label person in system, but also identifiers for looking them up: email, name,....LoginID - id and identifier (anything that can uniquely identify a person - Grouper external users is where the ePPN for a new member - -COmanage: In general, a multi-values list of identifiers paired with a source identifier; there is a non-shared internal ID - Grouper: - - Refereence ID: two match modes: Match up front; config. COmanage to match based on RefID. registry gets a ref id, and stores it - - Match API backend is just a database that understands ref id and sourceID - - provision to LDAP, point Grouper subject source at LDAP; - +- *COmanage*, external identifier are tuples: {Identifier for the external source, PersonID assigned by that source} +- Enter ePPN, or link in email for new ppl being added +- COmanage: In general, a multi-values list of identifiers paired with a source identifier; there is a non-shared internal ID +- Refereence ID: two match modes: Match up front; config. COmanage to match based on RefID. registry gets a ref id, and stores it +- Match API backend is just a database that understands ref id and sourceID, rovision to LDAP, point Grouper subject source at LDAP; + + +- *Grouper* defines "id" as person identifier and "identifier" as potentially anything that can uniquely identify a person +- Person identifiers indicate a single person in a system, but any attribute unique to the person can serve as an identifier for search queries: E.g., email, name, LoginID,... +- Grouper external users: ePPN serves as the identifier in the subject source -midPoint: OID is permanent, not shared name is a name-based identifier (other could be added), can change if needed, could be a campus id that users tend to know +*midPoint:* OID is permanent, not shared name is a name-based identifier (other could be added), can change if needed, could be a campus id that users tend to know - globally unique by inclusion of a scope element or domain identifier - mP can generate any other unique id and share with external systems + ==== name-based or otherwise recognizable? Y/N -Internal ida are not name-based +Generally, internal ida are not name-based ==== opaque (not name-based or otherwise recognizable) Y/N @@ -77,7 +73,6 @@ connectors can work w opaque: UID (used to link to the midPoint user, and anothe If UID link breaks, correlation can relink. - === Issue: Timing of unique identifier assignment in IAM system A person was just now added to a System of Record,