InCommon Technical Discussions

["Cantor, Scott" <>]

> That is good to hear! In that case, can we shift the discussion from
> pairwise identifiers to default attribute release policy?

Not when the consequence if that everybody has to deploy a proxy. That's just 
insane. If people want to, ok, but we shouldn't be giving people the idea 
that this is a rational state of affairs.

That goes doubly when you consider that SAML persistent IDs are *broken* 
because of the case requirements.

> It's looking more and more like OIDC gets this right.

No. Case sensitivity alone makes it unusable in many apps, for the same 
reason SAML persistent IDs are.

> AFAIK, all OIDC
> transactions require the IdP to release the 'sub' claim: a persistent,
> non-reassigned identifier. The IdP may choose to release a pairwise
> version of the 'sub' claim but it is not required to do so nor can the
> SP compel the IdP to release a pairwise identifier (or otherwise).

Except that some SPs*do* require that. Burying both in one attribute is not a 
sensible approach. We have to handle both cases.

> Eventually the Shibboleth IdP (and other implementations) will support
> the OIDC protocol but in the meantime why not align with OIDC and
> recommend that IdPs release a persistent, non-reassigned identifier to
> all SPs? That would require nontrivial effort but I think it has
> higher probability of success than other proposals that have been
> floated lately.

That much I generally agree with, but we need two attributes. Signaling the 
semantic difference outside of the attribute name is just silly to me.

In any case, if people want to discuss this, *please* join the InCommon 
deployment profile calls. We are literally discussing all of this right now, 
and have been for weeks.

-- Scott