Shibboleth ID concepts
cantor.2 at osu.edu
Wed Aug 8 09:17:33 EDT 2012
On Aug 8, 2012, at 6:05 AM, "Manuel Haim" <haim at hrz.uni-marburg.de> wrote:
> things look much clearer to me now.
Clear as mud I imagine. :)
> For local apps, we tend to use deprovisioning scripts based on the
> username, but in a federated environment this is no option, thus we will
> try to establish some all-time-unique non-complex identifiers...
That's a tough trade off to meet.
I think SWITCH has done work with using attribute queries to test the liveness of an identifier for deprovisioning use cases.
> And there were so many caveats about the eduPersonTargetedID within the
> Shibboleth wiki and example config that I really hesitated to use it at
> all (it sounded like a relict of old days, so thanks for clarifying it
No, but all the mistakes and the complexity have made it largely impractical. I don't know from a UI perspective what's really possible but it may be time to start fresh. I sort of hoped OpenID might address that, but to be honest, this isn't a use case they care about. That world is email address pretty much.
More information about the users