SlideShare a Scribd company logo

20230922 - ACAMP session on moving from eduPersonTargetedID to Subject Identifier.pptx

Download as PPTX, PDF
J
Jon Agland

Moving from eduPersonTargetedId to SAML Subject Identifier/Pairwise Identifer

Technology
1 of 21
Moving from eduPersonTargetedId to SAML Subject Identifier/Pairwise Identifier? Jon Agland Trust and Identity, Jisc Internet2 ACAMP 2023 (Unconference session) 2023-09-22 [Slides based on a 2021 presentation, to aid discussion]
Subject Identifiers in the UK federation Subject Identifiers in the UK federation 2 • Background (What are they, existing, the new standard, problems) • Supporting the new standard as IdP (first) • Supporting the new standard as SP (later) • Supporting the new standard as a federation operator
What are Subject Identifiers? Subject - a person or thing that is being discussed, described, or dealt with. Identifier - a person or thing that identifies someone or something. Subject Identifiers in the UK federation 3
Existing Subject Identifiers in the federation From the eduPersonSchema [1] eduPersonTargetedID is an abstracted version of the SAML V2.0 Name Identifier format of "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" eduPersonPrincipalName is a scoped identifier for a person. It should be represented in the form "user@scope" where 'user' is a name-based identifier for the person. Each value of 'scope' defines a namespace within which the assigned identifiers MUST be unique [1] https://wiki.refeds.org/display/STAN/eduPerson Subject Identifiers in the UK federation 4
Further identifiers in the federation eduPersonNamePrincipalPrior  multi-valued  only one SP has this a Requested Attribute eduPersonUniqueID  appeared in 2013, low take-up  indication that 59 SPs have Requested Attributes for this  Only one of those directly registered in the UK federation.  [1] https://wiki.refeds.org/display/STAN/eduPerson Subject Identifiers in the UK federation 5
Requested Attribute as an indicator Requested Attributes as a (bad!) indicator of attribute usage... eduPersonTargetedID - 674 eduPersonPrinicpalName - 1269 • Federation default policy – advises release of both these by IdPs to SPs • Only 378 of 1731 SPs in the UK federation have Requested Attributes in their metadata. Subject Identifiers in the UK federation 6
Existing Subject Identifiers in SAML Subject Identifiers in the UK federation 7 Name Identifiers  Some commonly used NameIDs  urn:oasis:names:tc:SAML:2.0:nameid-format:persistent  urn:oasis:names:tc:SAML:2.0:nameid-format:transient  urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress  An IdP in the UK federation will typically release  Transient in the Subject  Persistent in a SAML Attribute (eduPersonTargetedID)
Email Address as an Identifier Subject Identifiers in the UK federation 8  Not guaranteed unique to a subject  e.g. service@ukfederation.org.uk  Maybe be re-assigned  e.g. vc@camford.ac.uk  e.g. joe.bloggs@camford.ac.uk  Life events or affiliation may change it  Not always assigned by institution  May not be validated  https://spaces.at.internet2.edu/display/federation/why-is-email- not-an-appropriate-user-identifier  Hear our war story! "Return To Sender" by pheezy is licensed under CC BY 2.0
New Standard – SAML Subject Identifiers Subject Identifiers in the UK federation 9 Two new SAML Attributes defined in a new standard [1]  urn:oasis:names:tc:SAML:attribute:subject-id  bob123132@example.ac.uk  Alignment with eduPersonUniqueID  urn:oasis:names:tc:SAML:attribute:pairwise-id  NVSXE2DNMFZWIZ3BONSGO2DBONSGOCQ=@example.ac.uk  Hang on this looks familiar? SAML1/eduPerson mace-dir/eduPersonTargetedID.old  Review the problem statement in the standard.  [1] http://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/saml-subject-id-attr-v1.0.html
Drivers – SAML Subject Identifiers Subject Identifiers in the UK federation 10 • New standard has been ratified for over two years. • Use cases are coming... • eduPerson 2020-01 marks existing identifier as deprecated • eduPersonTargetedID is DEPRECATED and will be marked as obsolete in a future version of this specification. • New REFEDS Research and Scholarship v2.0 entity category • Nearing consultation, will require the new SAML Subject Identifier. • Research intensive organisations, may need to support the new standard sooner. • Shibboleth project deprecating • Stay of execution in v5 (marked as deprecated?) "Winter is Coming" by Trey Ratcliff is licensed under CC BY-NC-SA 2.0
https://xkcd.com/927/ eduPersonTargetedID is dead, long live eduPersonTargetedID Subject Identifiers in the UK federation 11 2023 – NOT FOR MUCH LONGER
One existing problem - Case sensitivity • Existing Identifiers may be using case sensitive values • Existing Shibboleth IdPs, Base64, ComputedID StoredID. • How does an SP handle this scenario? https://idp.example.ac.uk/idp!https://sp.example.org/sp!bWVyaG1hc2RnYXNkZ2hhc2RnCg== https://idp.example.ac.uk/idp!https://sp.example.org/sp!BWVYAG1HC2RNYXNKZ2HHC2RNCG== • New(er) Shibboleth IdPs deployers should use Base32. • SPs can test with the UK federation Test IdP (accounts Yanny and Laurel) [1] [1] https://www.ukfederation.org.uk/content/Documents/TestIdP Subject Identifiers in the UK federation 12
Supporting the SAML subject identifiers - IdPs Subject Identifiers in the UK federation 13 A fresh start?  If your existing ComputedID connector uses Base64, then you should.  Change to Base32  Change source attribute  ObjectGUID, ObjectSid – these tie you heavily to Microsoft Active Directory, Binary Attributes tricky to handle  uid, sAMAccountName, userPrincipalName, cn, mail – all potentially affected by changes of name, affiliation  employee and student number – on the face of it, a great choice as a source pairwise-id  What source for subject-id?
Two more questions for IdPs (another poll!)  What source attribute would you use for subject-id?  (urn:oasis:names:tc:SAML:attribute:subject-id)  What source attribute would you use for pairwise-id? (urn:oasis:names:tc:SAML:attribute:pairwise-id) Subject Identifiers in the UK federation 14
Signalling Subject Identifiers in the UK federation 15 We talked about Requested Attributes.. • SPs signalling what attributes they support/require using Requested Attributes • Existing Requested Attributes are another problem • Can’t say "I’d like one of eduPersonPrincipalName, eduPersonTargetedID or mail (Email address) please?" • Can only say "these are required, these are not required/optional" • New entity category has options of pairwise-id, subject-id, any or none • How do IdP operators feel about subject-id being auto released? • Will you being using an attribute containing personal information? • Quick poll..
entityIDs vs scopes Subject Identifiers in the UK federation 16  Existing SAML attributes are tied based on entityID - another problem!  Deployment of the new Subject Identifiers  Will eventually free us from the tie of the entityID  Will tie us instead to the scope  In the meantime, we will be tied to both?  Aren't we already?  Scopes  A single scope can be asserted by multiple IdPs  IdPs can assert multiple scopes (depending on their software/configuration)  Scopes and the domains they represent are verified for compliance with our metadata registration practice statement [1] [1] https://docs.ukfederation.org.uk/mdrps/
Supporting the SAML subject identifiers - SP Subject Identifiers in the UK federation 17  No personalisation, no worries?  Possibly one, reporting may show more unique users.
Supporting the SAML subject identifiers - SP Subject Identifiers in the UK federation 18 Maintaining Personalisation  Problem of mapping X to Y in a lot of cases  https://idp.example.ac.uk/idp!https://sp.example.org/sp!bWVyaG1hc2RnYXNkZ2hhc2RnCg==  NVSXE2DNMFZWIZ3BONSGO2DBONSGOCQ=@example.ac.uk  Will likely need co-ordination between IdP and SP  Might need to share and log the most recent Assertion ID to aid this process.  Attribute priority might need to be done per customer, rather than per service?  In the Shibboleth SP REMOTE_USER vs Attribute itself
Supporting the SAML subject identifiers - SP Subject Identifiers in the UK federation 19 Building a new SP  If I was deploying an SP today and required personalisation attributes..  urn:oasis:names:tc:SAML:attribute:subject-id fallback to eduPersonPrincipalName  urn:oasis:names:tc:SAML:attribute:pairwise-id fallback to eduPersonTargetedID • urn:oasis:names:tc:SAML:attribute:pairwise-id fallback to eduPersonPrincipalName  Handy if your end application can’t handle SPentityID!IdPentityID!value
Supporting the SAML subject identifiers – UK federation  What do we need to do?  Build the new entity category support into our tooling, so that SPs can signal their support  Setup IdP test accounts that release pairwise-id and subject-id  Test SP and attribute viewer  Might be additional entityIDs based on the four values of the entity attribute  Guidance/documentation for Shibboleth IdP and SP operators  Your thoughts and feedback? Subject Identifiers in the UK federation 20
Two questions for IdPs? Subject Identifiers in the UK federation 21 • How are you deriving eduPersonTargetedID? • (what is the source attribute) • Or persistent-name-id • How are you deriving eduPersonPrincipalName? • (what is the source attribute)?

Recommended

OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...
OpenIDFoundation
 
Tutorial: Describing Datasets with the Health Care and Life Sciences Communit...
Tutorial: Describing Datasets with the Health Care and Life Sciences Communit...Tutorial: Describing Datasets with the Health Care and Life Sciences Communit...
Tutorial: Describing Datasets with the Health Care and Life Sciences Communit...
Alasdair Gray
 
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and ShibbolethCANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
Chris Phillips
 
Application development with Oracle NoSQL Database 3.0
Application development with Oracle NoSQL Database 3.0Application development with Oracle NoSQL Database 3.0
Application development with Oracle NoSQL Database 3.0
Anuj Sahni
 
1345 1400 Fiona Cullock Edina Case Study
1345 1400 Fiona Cullock Edina Case Study1345 1400 Fiona Cullock Edina Case Study
1345 1400 Fiona Cullock Edina Case Study
JISC.AM
 
CEDAR: Easing Authoring of Metadata to Make Biomedical Data Sets More Findabl...
CEDAR: Easing Authoring of Metadata to Make Biomedical Data Sets More Findabl...CEDAR: Easing Authoring of Metadata to Make Biomedical Data Sets More Findabl...
CEDAR: Easing Authoring of Metadata to Make Biomedical Data Sets More Findabl...
Syed Ahmad Chan Bukhari, PhD
 
Web Services: Encapsulation, Reusability, and Simplicity
Web Services: Encapsulation, Reusability, and SimplicityWeb Services: Encapsulation, Reusability, and Simplicity
Web Services: Encapsulation, Reusability, and Simplicity
hannonhill
 
AWS re:Invent 2016: Zillow Group: Developing Classification and Recommendatio...
AWS re:Invent 2016: Zillow Group: Developing Classification and Recommendatio...AWS re:Invent 2016: Zillow Group: Developing Classification and Recommendatio...
AWS re:Invent 2016: Zillow Group: Developing Classification and Recommendatio...
Amazon Web Services
 

Recommended

OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...
OpenIDFoundation
 
Tutorial: Describing Datasets with the Health Care and Life Sciences Communit...
Tutorial: Describing Datasets with the Health Care and Life Sciences Communit...Tutorial: Describing Datasets with the Health Care and Life Sciences Communit...
Tutorial: Describing Datasets with the Health Care and Life Sciences Communit...
Alasdair Gray
 
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and ShibbolethCANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
Chris Phillips
 
Application development with Oracle NoSQL Database 3.0
Application development with Oracle NoSQL Database 3.0Application development with Oracle NoSQL Database 3.0
Application development with Oracle NoSQL Database 3.0
Anuj Sahni
 
1345 1400 Fiona Cullock Edina Case Study
1345 1400 Fiona Cullock Edina Case Study1345 1400 Fiona Cullock Edina Case Study
1345 1400 Fiona Cullock Edina Case Study
JISC.AM
 
CEDAR: Easing Authoring of Metadata to Make Biomedical Data Sets More Findabl...
CEDAR: Easing Authoring of Metadata to Make Biomedical Data Sets More Findabl...CEDAR: Easing Authoring of Metadata to Make Biomedical Data Sets More Findabl...
CEDAR: Easing Authoring of Metadata to Make Biomedical Data Sets More Findabl...
Syed Ahmad Chan Bukhari, PhD
 
Web Services: Encapsulation, Reusability, and Simplicity
Web Services: Encapsulation, Reusability, and SimplicityWeb Services: Encapsulation, Reusability, and Simplicity
Web Services: Encapsulation, Reusability, and Simplicity
hannonhill
 
AWS re:Invent 2016: Zillow Group: Developing Classification and Recommendatio...
AWS re:Invent 2016: Zillow Group: Developing Classification and Recommendatio...AWS re:Invent 2016: Zillow Group: Developing Classification and Recommendatio...
AWS re:Invent 2016: Zillow Group: Developing Classification and Recommendatio...
Amazon Web Services
 
Sem tech 2011 v8
Sem tech 2011 v8Sem tech 2011 v8
Sem tech 2011 v8
dallemang
 
DM2E Project meeting Bergen: WP2 RDF Validation, Kai Eckert (University of Ma...
DM2E Project meeting Bergen: WP2 RDF Validation, Kai Eckert (University of Ma...DM2E Project meeting Bergen: WP2 RDF Validation, Kai Eckert (University of Ma...
DM2E Project meeting Bergen: WP2 RDF Validation, Kai Eckert (University of Ma...
Digitised Manuscripts to Europeana
 
DataScience SG | Undergrad Series | 26th Sep 19
DataScience SG | Undergrad Series | 26th Sep 19DataScience SG | Undergrad Series | 26th Sep 19
DataScience SG | Undergrad Series | 26th Sep 19
Yong Siang (Ivan) Tan
 
PerformanceSCORM
PerformanceSCORMPerformanceSCORM
PerformanceSCORM
openforum
 
CANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interestCANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interest
Chris Phillips
 
C4l2008charper
C4l2008charperC4l2008charper
C4l2008charper
charper
 
Modeling Tricks My Relational Database Never Taught Me
Modeling Tricks My Relational Database Never Taught MeModeling Tricks My Relational Database Never Taught Me
Modeling Tricks My Relational Database Never Taught Me
David Boike
 
Mark logic text analytics
Mark logic text analyticsMark logic text analytics
Mark logic text analytics
Fernando Mesa
 
Paper presentation
Paper presentationPaper presentation
Paper presentation
K.K. Tripathi
 
Bacnet for field technicians
Bacnet for field techniciansBacnet for field technicians
Bacnet for field technicians
Juan Taveras
 
Virtuoso -- The Prometheus of RDF
Virtuoso -- The Prometheus of RDFVirtuoso -- The Prometheus of RDF
Virtuoso -- The Prometheus of RDF
OpenLink Software
 
Elastic @ Adobe: Making Search Smarter with Machine Learning at Scale
Elastic @ Adobe: Making Search Smarter with Machine Learning at ScaleElastic @ Adobe: Making Search Smarter with Machine Learning at Scale
Elastic @ Adobe: Making Search Smarter with Machine Learning at Scale
Elasticsearch
 
How Linked Data Can Speed Information Discovery
How Linked Data Can Speed Information DiscoveryHow Linked Data Can Speed Information Discovery
How Linked Data Can Speed Information Discovery
Alex Meadows
 
Virtuoso, The Prometheus of RDF -- Sematics 2014 Conference Keynote
Virtuoso, The Prometheus of RDF -- Sematics 2014 Conference Keynote Virtuoso, The Prometheus of RDF -- Sematics 2014 Conference Keynote
Virtuoso, The Prometheus of RDF -- Sematics 2014 Conference Keynote
Kingsley Uyi Idehen
 
20th Feb 2020 json-ld-rdf-im-proposal.pdf
20th Feb 2020 json-ld-rdf-im-proposal.pdf20th Feb 2020 json-ld-rdf-im-proposal.pdf
20th Feb 2020 json-ld-rdf-im-proposal.pdf
Michal Miklas
 
Off-Label Data Mesh: A Prescription for Healthier Data
Off-Label Data Mesh: A Prescription for Healthier DataOff-Label Data Mesh: A Prescription for Healthier Data
Off-Label Data Mesh: A Prescription for Healthier Data
HostedbyConfluent
 
Vital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and Spark
Vital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and SparkVital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and Spark
Vital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and Spark
Vital.AI
 
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
Daniel Zivkovic
 
1 Exploratory Data Analysis (EDA) by Melvin Ott, PhD.docx
1 Exploratory Data Analysis (EDA) by Melvin Ott, PhD.docx1 Exploratory Data Analysis (EDA) by Melvin Ott, PhD.docx
1 Exploratory Data Analysis (EDA) by Melvin Ott, PhD.docx
honey725342
 
SNIA : Swift Object Storage adding EC (Erasure Code)
SNIA : Swift Object Storage adding EC (Erasure Code)SNIA : Swift Object Storage adding EC (Erasure Code)
SNIA : Swift Object Storage adding EC (Erasure Code)
Odinot Stanislas
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
Mark Billinghurst
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 

More Related Content

Similar to 20230922 - ACAMP session on moving from eduPersonTargetedID to Subject Identifier.pptx

DM2E Project meeting Bergen: WP2 RDF Validation, Kai Eckert (University of Ma...
DM2E Project meeting Bergen: WP2 RDF Validation, Kai Eckert (University of Ma...DM2E Project meeting Bergen: WP2 RDF Validation, Kai Eckert (University of Ma...
DM2E Project meeting Bergen: WP2 RDF Validation, Kai Eckert (University of Ma...
Digitised Manuscripts to Europeana
 
DataScience SG | Undergrad Series | 26th Sep 19
DataScience SG | Undergrad Series | 26th Sep 19DataScience SG | Undergrad Series | 26th Sep 19
DataScience SG | Undergrad Series | 26th Sep 19
Yong Siang (Ivan) Tan
 
C4l2008charper
C4l2008charperC4l2008charper
C4l2008charper
charper
 
Bacnet for field technicians
Bacnet for field techniciansBacnet for field technicians
Bacnet for field technicians
Juan Taveras
 
Off-Label Data Mesh: A Prescription for Healthier Data
Off-Label Data Mesh: A Prescription for Healthier DataOff-Label Data Mesh: A Prescription for Healthier Data
Off-Label Data Mesh: A Prescription for Healthier Data
HostedbyConfluent
 
1 Exploratory Data Analysis (EDA) by Melvin Ott, PhD.docx
1 Exploratory Data Analysis (EDA) by Melvin Ott, PhD.docx1 Exploratory Data Analysis (EDA) by Melvin Ott, PhD.docx
1 Exploratory Data Analysis (EDA) by Melvin Ott, PhD.docx
honey725342
 

Similar to 20230922 - ACAMP session on moving from eduPersonTargetedID to Subject Identifier.pptx (20)

Sem tech 2011 v8
Sem tech 2011 v8Sem tech 2011 v8
Sem tech 2011 v8
 
DM2E Project meeting Bergen: WP2 RDF Validation, Kai Eckert (University of Ma...
DM2E Project meeting Bergen: WP2 RDF Validation, Kai Eckert (University of Ma...DM2E Project meeting Bergen: WP2 RDF Validation, Kai Eckert (University of Ma...
DM2E Project meeting Bergen: WP2 RDF Validation, Kai Eckert (University of Ma...
 
DataScience SG | Undergrad Series | 26th Sep 19
DataScience SG | Undergrad Series | 26th Sep 19DataScience SG | Undergrad Series | 26th Sep 19
DataScience SG | Undergrad Series | 26th Sep 19
 
PerformanceSCORM
PerformanceSCORMPerformanceSCORM
PerformanceSCORM
 
CANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interestCANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interest
 
C4l2008charper
C4l2008charperC4l2008charper
C4l2008charper
 
Modeling Tricks My Relational Database Never Taught Me
Modeling Tricks My Relational Database Never Taught MeModeling Tricks My Relational Database Never Taught Me
Modeling Tricks My Relational Database Never Taught Me
 
Mark logic text analytics
Mark logic text analyticsMark logic text analytics
Mark logic text analytics
 
Paper presentation
Paper presentationPaper presentation
Paper presentation
 
Bacnet for field technicians
Bacnet for field techniciansBacnet for field technicians
Bacnet for field technicians
 
Virtuoso -- The Prometheus of RDF
Virtuoso -- The Prometheus of RDFVirtuoso -- The Prometheus of RDF
Virtuoso -- The Prometheus of RDF
 
Elastic @ Adobe: Making Search Smarter with Machine Learning at Scale
Elastic @ Adobe: Making Search Smarter with Machine Learning at ScaleElastic @ Adobe: Making Search Smarter with Machine Learning at Scale
Elastic @ Adobe: Making Search Smarter with Machine Learning at Scale
 
How Linked Data Can Speed Information Discovery
How Linked Data Can Speed Information DiscoveryHow Linked Data Can Speed Information Discovery
How Linked Data Can Speed Information Discovery
 
Virtuoso, The Prometheus of RDF -- Sematics 2014 Conference Keynote
Virtuoso, The Prometheus of RDF -- Sematics 2014 Conference Keynote Virtuoso, The Prometheus of RDF -- Sematics 2014 Conference Keynote
Virtuoso, The Prometheus of RDF -- Sematics 2014 Conference Keynote
 
20th Feb 2020 json-ld-rdf-im-proposal.pdf
20th Feb 2020 json-ld-rdf-im-proposal.pdf20th Feb 2020 json-ld-rdf-im-proposal.pdf
20th Feb 2020 json-ld-rdf-im-proposal.pdf
 
Off-Label Data Mesh: A Prescription for Healthier Data
Off-Label Data Mesh: A Prescription for Healthier DataOff-Label Data Mesh: A Prescription for Healthier Data
Off-Label Data Mesh: A Prescription for Healthier Data
 
Vital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and Spark
Vital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and SparkVital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and Spark
Vital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and Spark
 
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
 
1 Exploratory Data Analysis (EDA) by Melvin Ott, PhD.docx
1 Exploratory Data Analysis (EDA) by Melvin Ott, PhD.docx1 Exploratory Data Analysis (EDA) by Melvin Ott, PhD.docx
1 Exploratory Data Analysis (EDA) by Melvin Ott, PhD.docx
 
SNIA : Swift Object Storage adding EC (Erasure Code)
SNIA : Swift Object Storage adding EC (Erasure Code)SNIA : Swift Object Storage adding EC (Erasure Code)
SNIA : Swift Object Storage adding EC (Erasure Code)
 

Recently uploaded

Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
FIDO Alliance
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
Srushith Repakula
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
Hiroshi SHIBATA
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Skynet Technologies
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
panagenda
 

Recently uploaded (20)

The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4j
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 

20230922 - ACAMP session on moving from eduPersonTargetedID to Subject Identifier.pptx

  • 1. Moving from eduPersonTargetedId to SAML Subject Identifier/Pairwise Identifier? Jon Agland Trust and Identity, Jisc Internet2 ACAMP 2023 (Unconference session) 2023-09-22 [Slides based on a 2021 presentation, to aid discussion]
  • 2. Subject Identifiers in the UK federation Subject Identifiers in the UK federation 2 • Background (What are they, existing, the new standard, problems) • Supporting the new standard as IdP (first) • Supporting the new standard as SP (later) • Supporting the new standard as a federation operator
  • 3. What are Subject Identifiers? Subject - a person or thing that is being discussed, described, or dealt with. Identifier - a person or thing that identifies someone or something. Subject Identifiers in the UK federation 3
  • 4. Existing Subject Identifiers in the federation From the eduPersonSchema [1] eduPersonTargetedID is an abstracted version of the SAML V2.0 Name Identifier format of "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" eduPersonPrincipalName is a scoped identifier for a person. It should be represented in the form "user@scope" where 'user' is a name-based identifier for the person. Each value of 'scope' defines a namespace within which the assigned identifiers MUST be unique [1] https://wiki.refeds.org/display/STAN/eduPerson Subject Identifiers in the UK federation 4
  • 5. Further identifiers in the federation eduPersonNamePrincipalPrior  multi-valued  only one SP has this a Requested Attribute eduPersonUniqueID  appeared in 2013, low take-up  indication that 59 SPs have Requested Attributes for this  Only one of those directly registered in the UK federation.  [1] https://wiki.refeds.org/display/STAN/eduPerson Subject Identifiers in the UK federation 5
  • 6. Requested Attribute as an indicator Requested Attributes as a (bad!) indicator of attribute usage... eduPersonTargetedID - 674 eduPersonPrinicpalName - 1269 • Federation default policy – advises release of both these by IdPs to SPs • Only 378 of 1731 SPs in the UK federation have Requested Attributes in their metadata. Subject Identifiers in the UK federation 6
  • 7. Existing Subject Identifiers in SAML Subject Identifiers in the UK federation 7 Name Identifiers  Some commonly used NameIDs  urn:oasis:names:tc:SAML:2.0:nameid-format:persistent  urn:oasis:names:tc:SAML:2.0:nameid-format:transient  urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress  An IdP in the UK federation will typically release  Transient in the Subject  Persistent in a SAML Attribute (eduPersonTargetedID)
  • 8. Email Address as an Identifier Subject Identifiers in the UK federation 8  Not guaranteed unique to a subject  e.g. service@ukfederation.org.uk  Maybe be re-assigned  e.g. vc@camford.ac.uk  e.g. joe.bloggs@camford.ac.uk  Life events or affiliation may change it  Not always assigned by institution  May not be validated  https://spaces.at.internet2.edu/display/federation/why-is-email- not-an-appropriate-user-identifier  Hear our war story! "Return To Sender" by pheezy is licensed under CC BY 2.0
  • 9. New Standard – SAML Subject Identifiers Subject Identifiers in the UK federation 9 Two new SAML Attributes defined in a new standard [1]  urn:oasis:names:tc:SAML:attribute:subject-id  bob123132@example.ac.uk  Alignment with eduPersonUniqueID  urn:oasis:names:tc:SAML:attribute:pairwise-id  NVSXE2DNMFZWIZ3BONSGO2DBONSGOCQ=@example.ac.uk  Hang on this looks familiar? SAML1/eduPerson mace-dir/eduPersonTargetedID.old  Review the problem statement in the standard.  [1] http://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/saml-subject-id-attr-v1.0.html
  • 10. Drivers – SAML Subject Identifiers Subject Identifiers in the UK federation 10 • New standard has been ratified for over two years. • Use cases are coming... • eduPerson 2020-01 marks existing identifier as deprecated • eduPersonTargetedID is DEPRECATED and will be marked as obsolete in a future version of this specification. • New REFEDS Research and Scholarship v2.0 entity category • Nearing consultation, will require the new SAML Subject Identifier. • Research intensive organisations, may need to support the new standard sooner. • Shibboleth project deprecating • Stay of execution in v5 (marked as deprecated?) "Winter is Coming" by Trey Ratcliff is licensed under CC BY-NC-SA 2.0
  • 11. https://xkcd.com/927/ eduPersonTargetedID is dead, long live eduPersonTargetedID Subject Identifiers in the UK federation 11 2023 – NOT FOR MUCH LONGER
  • 12. One existing problem - Case sensitivity • Existing Identifiers may be using case sensitive values • Existing Shibboleth IdPs, Base64, ComputedID StoredID. • How does an SP handle this scenario? https://idp.example.ac.uk/idp!https://sp.example.org/sp!bWVyaG1hc2RnYXNkZ2hhc2RnCg== https://idp.example.ac.uk/idp!https://sp.example.org/sp!BWVYAG1HC2RNYXNKZ2HHC2RNCG== • New(er) Shibboleth IdPs deployers should use Base32. • SPs can test with the UK federation Test IdP (accounts Yanny and Laurel) [1] [1] https://www.ukfederation.org.uk/content/Documents/TestIdP Subject Identifiers in the UK federation 12
  • 13. Supporting the SAML subject identifiers - IdPs Subject Identifiers in the UK federation 13 A fresh start?  If your existing ComputedID connector uses Base64, then you should.  Change to Base32  Change source attribute  ObjectGUID, ObjectSid – these tie you heavily to Microsoft Active Directory, Binary Attributes tricky to handle  uid, sAMAccountName, userPrincipalName, cn, mail – all potentially affected by changes of name, affiliation  employee and student number – on the face of it, a great choice as a source pairwise-id  What source for subject-id?
  • 14. Two more questions for IdPs (another poll!)  What source attribute would you use for subject-id?  (urn:oasis:names:tc:SAML:attribute:subject-id)  What source attribute would you use for pairwise-id? (urn:oasis:names:tc:SAML:attribute:pairwise-id) Subject Identifiers in the UK federation 14
  • 15. Signalling Subject Identifiers in the UK federation 15 We talked about Requested Attributes.. • SPs signalling what attributes they support/require using Requested Attributes • Existing Requested Attributes are another problem • Can’t say "I’d like one of eduPersonPrincipalName, eduPersonTargetedID or mail (Email address) please?" • Can only say "these are required, these are not required/optional" • New entity category has options of pairwise-id, subject-id, any or none • How do IdP operators feel about subject-id being auto released? • Will you being using an attribute containing personal information? • Quick poll..
  • 16. entityIDs vs scopes Subject Identifiers in the UK federation 16  Existing SAML attributes are tied based on entityID - another problem!  Deployment of the new Subject Identifiers  Will eventually free us from the tie of the entityID  Will tie us instead to the scope  In the meantime, we will be tied to both?  Aren't we already?  Scopes  A single scope can be asserted by multiple IdPs  IdPs can assert multiple scopes (depending on their software/configuration)  Scopes and the domains they represent are verified for compliance with our metadata registration practice statement [1] [1] https://docs.ukfederation.org.uk/mdrps/
  • 17. Supporting the SAML subject identifiers - SP Subject Identifiers in the UK federation 17  No personalisation, no worries?  Possibly one, reporting may show more unique users.
  • 18. Supporting the SAML subject identifiers - SP Subject Identifiers in the UK federation 18 Maintaining Personalisation  Problem of mapping X to Y in a lot of cases  https://idp.example.ac.uk/idp!https://sp.example.org/sp!bWVyaG1hc2RnYXNkZ2hhc2RnCg==  NVSXE2DNMFZWIZ3BONSGO2DBONSGOCQ=@example.ac.uk  Will likely need co-ordination between IdP and SP  Might need to share and log the most recent Assertion ID to aid this process.  Attribute priority might need to be done per customer, rather than per service?  In the Shibboleth SP REMOTE_USER vs Attribute itself
  • 19. Supporting the SAML subject identifiers - SP Subject Identifiers in the UK federation 19 Building a new SP  If I was deploying an SP today and required personalisation attributes..  urn:oasis:names:tc:SAML:attribute:subject-id fallback to eduPersonPrincipalName  urn:oasis:names:tc:SAML:attribute:pairwise-id fallback to eduPersonTargetedID • urn:oasis:names:tc:SAML:attribute:pairwise-id fallback to eduPersonPrincipalName  Handy if your end application can’t handle SPentityID!IdPentityID!value
  • 20. Supporting the SAML subject identifiers – UK federation  What do we need to do?  Build the new entity category support into our tooling, so that SPs can signal their support  Setup IdP test accounts that release pairwise-id and subject-id  Test SP and attribute viewer  Might be additional entityIDs based on the four values of the entity attribute  Guidance/documentation for Shibboleth IdP and SP operators  Your thoughts and feedback? Subject Identifiers in the UK federation 20
  • 21. Two questions for IdPs? Subject Identifiers in the UK federation 21 • How are you deriving eduPersonTargetedID? • (what is the source attribute) • Or persistent-name-id • How are you deriving eduPersonPrincipalName? • (what is the source attribute)?

Editor's Notes

  1. * Attribute generated by the Directory Service (objectGUID, objectSid)? * Attribute based on the Users firstname/surname (uid, sAMAccountName, userPrincipalName, cn, mail)? * Attribute based on an organisation identifier (employee number, student number)? * Other?
  2. How are you deriving eduPersonTargetedID? (what is the source attribute) * Attribute generated by the Directory Service (objectGUID, objectSid)? * Attribute based on the Users firstname/surname (uid, sAMAccountName, userPrincipalName, cn, mail)? * Attribute based on an organisation identifier (employee number, student number)? * Other? How are you deriving eduPersonPrincipalName (what is the source attribute)? * Attribute generated by the Directory Service (objectGUID, objectSid)? * Attribute based on the Users firstname/surname (uid, sAMAccountName, userPrincipalName, cn, mail)? * Attribute based on an organisation identifier (employee number, student number)? * Other?