Shibboleth ID concepts

Cantor, Scott cantor.2 at
Wed Aug 8 09:17:33 EDT 2012

On Aug 8, 2012, at 6:05 AM, "Manuel Haim" <haim at> wrote:

> things look much clearer to me now.

Clear as mud I imagine. :)

> For local apps, we tend to use deprovisioning scripts based on the
> username, but in a federated environment this is no option, thus we will
> try to establish some all-time-unique non-complex identifiers...

That's a tough trade off to meet.

I think SWITCH has done work with using attribute queries to test the liveness of an identifier for deprovisioning use cases.

> And there were so many caveats about the eduPersonTargetedID within the
> Shibboleth wiki and example config that I really hesitated to use it at
> all (it sounded like a relict of old days, so thanks for clarifying it
> isn't).

No, but all the mistakes and the complexity have made it largely impractical. I don't know from a UI perspective what's really possible but it may be time to start fresh. I sort of hoped OpenID might address that, but to be honest, this isn't a use case they care about. That world is email address pretty much.

-- Scott

More information about the users mailing list