subject-id-guidance-wg - Re: Asynchronous work - IDP guidance
Subject: InCommon SAML Subject Identifiers Deployment Guidance Working Group
List archive
- From: "" <>
- To: "Morgan, Andrew J" <>
- Cc: "Jones, Mark B" <>, IAM David Bantz <>,
- Subject: Re: Asynchronous work - IDP guidance
- Date: Sun, 25 Aug 2024 14:40:53 -0800
Sunday musings…
Near term goal IMO should be rapid adoption of samlSubjectID as good practice for new SP-IdP integrations, replacing reliance on ePPN, uid, mail or other common choices.
Revising release policies for existing integrations at this point would be a very difficult sell IMO; hard for me to imagine many SPs or IdPs devoting resources to that. Perhaps at some future time when widely deployed with track record of avoiding issues of other identifiers.
If we do want to include transition advice, first topic would be screening questions to determine which integrations merit the pain of revising attribute release and consumption policies. And that screening would have to consider at least existing identifiers uid and mail and nameID in Subject as well as ePPN, IMO.
David.Bantz@Alaska.edu
On Aug 23, 2024, at 20:16, Morgan, Andrew J <> wrote:
That is correct - EPPN values are not suitable for subject-id values.
What guidance do we give to IDP operators that are currently releasing EPPN? Assume they have already determined the value to release for subject-id. Should they stop releasing EPPN and release subject-id instead or should there be a period of overlap when both values are released? What about the access entity categories?
This discussion is not about migrating EPPN values into subject-id. It is about how to start using subject-id and stop using EPPN and other identifiers.
Thanks,Andy
From: Jones, Mark B <>
Sent: Friday, August 23, 2024 4:44 PM
To: IAM David Bantz <>; Morgan, Andrew J <>; <>
Subject: Re: Asynchronous work - IDP guidance[This email originated from outside of OSU. Use caution with links and attachments.]
+1
From: <> on behalf of IAM David Bantz <>
Sent: Friday, August 23, 2024 6:28 PM
To: Morgan, Andrew J <>
Cc: <>
Subject: Re: Asynchronous work - IDP guidance
External: Increase caution when handling links and attachments.
I was surprised to read discussion of migration strategy from eduPersonPrincipalName to samlSubjectID.
My impression is that ePPN is generally name-based, thus not really persistent, thus inappropriate for samlSubjectID.
David
On Fri, Aug 23, 2024 at 9:06 AM Morgan, Andrew J <> wrote:
Hi everyone,
During today's meeting, we started discussing implementation guidance for IDPs. Please read the meeting notes (https://docs.google.com/document/d/1YINTg3Tvjdmx_2HpNs4pdFmL3iHYXGKZBefRxDm3QQ4/edit#heading=h.mrl26y9cootl) and help us develop actual positions and guidance on this topic. For now, put this at the end of the working document (https://docs.google.com/document/d/1EOVPkPjCs0W6jGFrPwOq6_KMeACma__9WJ71CEeVfYU/edit) under the "Things to Ponder" heading.
See you next week!
Thanks,Andy
- Asynchronous work - IDP guidance, Morgan, Andrew J, 08/23/2024
- Re: Asynchronous work - IDP guidance, IAM David Bantz, 08/23/2024
- Re: Asynchronous work - IDP guidance, Jones, Mark B, 08/23/2024
- Re: Asynchronous work - IDP guidance, Morgan, Andrew J, 08/24/2024
- Re: Asynchronous work - IDP guidance, , 08/25/2024
- RE: Asynchronous work - IDP guidance, Jones, Mark B, 08/26/2024
- RE: Asynchronous work - IDP guidance, Boomer, Joanne, 08/26/2024
- Re: Asynchronous work - IDP guidance, Albert Wu, 08/30/2024
- RE: Asynchronous work - IDP guidance, Boomer, Joanne, 08/26/2024
- RE: Asynchronous work - IDP guidance, Jones, Mark B, 08/26/2024
- Re: Asynchronous work - IDP guidance, , 08/25/2024
- Re: Asynchronous work - IDP guidance, Morgan, Andrew J, 08/24/2024
- Re: Asynchronous work - IDP guidance, Jones, Mark B, 08/23/2024
- Re: Asynchronous work - IDP guidance, IAM David Bantz, 08/23/2024
Archive powered by MHonArc 2.6.24.