technical-discuss - [InC-Technical] default attribute release policy
Subject: InCommon Technical Discussions
List archive
- From: Tom Scavo <>
- To: Scott Koranda <>
- Cc: "" <>
- Subject: [InC-Technical] default attribute release policy
- Date: Thu, 8 Jun 2017 09:48:37 -0400
- Ironport-phdr: 9a23:w9N8LRcXoBn1nvfcR8Mahc34lGMj4u6mDksu8pMizoh2WeGdxcS+ZB7h7PlgxGXEQZ/co6odzbGH7Oa+AidevN6oizMrSNR0TRgLiMEbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpTEdFQ/iOgVrO+/7BpDdj9it1+C15pbffxhEiCCzbL52Lhi6twTcu8cZjYZjKqs61wfErGZPd+lK321jOEidnwz75se+/Z5j9zpftvc8/MNeUqv0Yro1Q6VAADspL2466svrtQLeTQSU/XsTTn8WkhtTDAfb6hzxQ4r8vTH7tup53ymaINH2QLUpUjms86tnVBnlgzocOjUn7G/YlNB/jKNDoBKguRN/xZLUYJqIP/Z6Z6/RYM8WSXZEUstXSidPAJ6zb5EXAuQBM+hWrJTzqUUSohalGQmgGPnixiNUinPq36A31fkqHwHc3AwnGtIDqGrarNLwNKwPTO660LPHzSvEb/hL3jr99JLIcgs9rv6WQ7JwdtHcyUgpFwPZkFqQs4rlMC2J1ugTqWSU8fdvVf+2hmMhtgp/oSCvy98yhobTmo4Z1lXJ+Th2zYs1OdG1TUF2bcK4HJRMsiyVK5d6T8cnTmxtpio3xLILtJimdyYQ0psn3QTQa/mffoiI/B3jUOGRLC99hH1/ebK/gw++8EalyuHgT8W130hGoyRKn9XWuXAN0BvT6seDSvRj5EuuxTGP1wXL5uFFJ0A7i7bbJoY/zrEqipYfrUHOEjL5lUj2kKObc0op9vS05+v7Z7jpuoOQOotxhwz7LKgjlMOyDfw9MgcUXmib/eq81Kfk/U38WLhKkuc2krLFv5/AO8QbobW0AwBQ0ok56ha/Cy2q38gfnXkCNF5FYg6Ij5D1O1HSJ/D1Ffa/g1KwnzdswvDGO7rhApPXInjEirfhcq9x61JCxwUvzdBf4ZNUBa0bL/L3Q0P+qd3YDgQlPAyp2ObnE85w1ocfWWKUHq+ZK73evUWJ5uIpP+mDepUVuDDjJPg5+fLil2E2lkIAffrh4ZxCU3u/AuguAEKDaHzgi59VCmQNpAM4QOXCh1iLUDoVbHG3CfES/DY+Xb6hCM/4TYmzh/TVwD2gFZRIYUhHDEyBC3Hla9/CVvsRPnHBavR9myAJAODyA7Qq0guj4Uqjk+Jq
On Thu, Jun 8, 2017 at 7:36 AM, Scott Koranda
<>
wrote:
>
> The VOs I have been working with have so far relied on ePPN and not
> ePTID or any other targeted identifiers. The primary reason is the need
> to "see" the same user at multiple SPs operated by the VO.
>
> Somewhat ironically this is changing now as the VOs are preparing to
> deploy IdP/SP proxies in production and present a single SP to the
> federation(s). The reason is for better interoperability because of IdPs
> that will only send targeted identifiers.
That is good to hear! In that case, can we shift the discussion from
pairwise identifiers to default attribute release policy?
It's looking more and more like OIDC gets this right. AFAIK, all OIDC
transactions require the IdP to release the 'sub' claim: a persistent,
non-reassigned identifier. The IdP may choose to release a pairwise
version of the 'sub' claim but it is not required to do so nor can the
SP compel the IdP to release a pairwise identifier (or otherwise).
Eventually the Shibboleth IdP (and other implementations) will support
the OIDC protocol but in the meantime why not align with OIDC and
recommend that IdPs release a persistent, non-reassigned identifier to
all SPs? That would require nontrivial effort but I think it has
higher probability of success than other proposals that have been
floated lately.
Tom
- [InC-Technical] default attribute release policy, Tom Scavo, 06/08/2017
- Re: [InC-Technical] default attribute release policy, Alan Buxey, 06/08/2017
- Re: [InC-Technical] default attribute release policy, Keith Hazelton, 06/08/2017
- RE: [InC-Technical] default attribute release policy, Cantor, Scott, 06/08/2017
- Re: [InC-Technical] default attribute release policy, Roland Hedberg, 06/08/2017
- RE: [InC-Technical] default attribute release policy, Cantor, Scott, 06/08/2017
- Re: [InC-Technical] default attribute release policy, Roland Hedberg, 06/08/2017
- Re: [InC-Technical] default attribute release policy, Alan Buxey, 06/08/2017
Archive powered by MHonArc 2.6.19.