technical-discuss - Re: [InC-Technical] default attribute release policy
Subject: InCommon Technical Discussions
List archive
- From: Roland Hedberg <>
- To: "Cantor, Scott" <>
- Cc: Tom Scavo <>, Scott Koranda <>, "" <>
- Subject: Re: [InC-Technical] default attribute release policy
- Date: Thu, 8 Jun 2017 21:15:29 +0200
- Ironport-phdr: 9a23:1EurnhNXh0tjTrZGfX8l6mtUPXoX/o7sNwtQ0KIMzox0Ivv5rarrMEGX3/hxlliBBdydsKMbzbSN+Pm7BSQp2tWoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7Ovr6GpLIj8Swyuu+54Dfbx9GiTe5Y75+NhS7oAveusULj4ZvJbs6xwfUrHdPZ+lY335jK0iJnxb76Mew/Zpj/DpVtvk86cNOUrj0crohQ7BAAzsoL2465MvwtRneVgSP/WcTUn8XkhVTHQfI6gzxU4rrvSv7sup93zSaPdHzQLspVzmu87tnRRn1gyocKTU37H/YhdBxjKJDoRKuuRp/w5LPYIqIMPZyZ77Rcc8GSWZEWMtaSi5PDZ6mb4YXE+UOMvtWoYn/qFUAohWwBgesCv3oxDJTmn/2xKg63/ghEQ3a3gEtGc8FvnTOrNXyMacfSfy7zK7MzTrZafNZxCr25orWfR88uv6DQ6hwccXMwkQoDQPFiVGQppbjPzyIzekNqHWb7+x+WuKzkWInsB9+ryGpy8wxiYfJnpoYxk7e+ill3Io4IMC0RUF7bNK4FZZduD2WO5ZqTs4nX25kpCQ3x7gDtJKlciUHxowryhDCZ/CdbYSE/hHuWPyQLDtimX5pZbCyihCv+ka60OL8TNO70FNSoypFjNbMsncN2gTW6sedS/t9+l6t2TKB1wzP8+1FLl44mKTVJpI7zb4wkZ0TsUvHHiDogkn5kKiWdkA89uip7eTofKnmq4eCO4Bulg3yLqEjltGwDOk4LgQDWmeW9fih2LH/+ED2XKlGg/8zn6TcrpzXK8oWqra8AwBP04Yj7xi/Dy2h0NQdhXQHNlVFeBadgIjvJl7DO+v4Deq5g1uyjDdn3evGMaP5DpXXMnfDiKvhfap660NEyQozy8xQ55VRCrEEJ/LzXFX9tNvCDh82KgC03/joB8l91oMYWGKAHrWWMKfLvVCV5+IvOPWDZJIOuDbmMPUl4//ujWQlmV8GY6Wlx5oXaHakHvt4OUWZZ2TjgssfHWsQoAUxUfHq2xW+VmsZTH+0Q6UmonkAA4W6Ec2LEoukhqCGxmHhNppNeyZLBk3aQlnycIDRYfAIYSSeau9snjYJT7fpH5Um0RiouCfh1rxqMqzP93tL5trYyNFp6riLxlkJ/jtuApHYijnVQg==
> On 8 Jun 2017, at 17:53, Cantor, Scott
> <>
> wrote:
>
>> AFAIK, all OIDC
>> transactions require the IdP to release the 'sub' claim: a persistent,
>> non-reassigned identifier. The IdP may choose to release a pairwise
>> version of the 'sub' claim but it is not required to do so nor can the
>> SP compel the IdP to release a pairwise identifier (or otherwise).
>
> Except that some SPs*do* require that. Burying both in one attribute is not
> a sensible approach. We have to handle both cases.
A SP/RP can in the client registration specify that it wants pairwise and not
public identifiers.
So, a SP can require pairwise identifiers. It can’t do it per authentication
request though.
All this proviso that the IdP/OP supports pairwise identifiers.
— Roland
- [InC-Technical] default attribute release policy, Tom Scavo, 06/08/2017
- Re: [InC-Technical] default attribute release policy, Alan Buxey, 06/08/2017
- Re: [InC-Technical] default attribute release policy, Keith Hazelton, 06/08/2017
- RE: [InC-Technical] default attribute release policy, Cantor, Scott, 06/08/2017
- Re: [InC-Technical] default attribute release policy, Roland Hedberg, 06/08/2017
- RE: [InC-Technical] default attribute release policy, Cantor, Scott, 06/08/2017
- Re: [InC-Technical] default attribute release policy, Roland Hedberg, 06/08/2017
- Re: [InC-Technical] default attribute release policy, Alan Buxey, 06/08/2017
Archive powered by MHonArc 2.6.19.