Reused usernames and persistentIds
Ramon Pfeiffer
ramon.pfeiffer at uni-tuebingen.de
Wed Oct 22 12:27:45 EDT 2014
Dear all,
at our university, we are faced with the necessity of reusing usernames
after a given timespan (several years). This means, some years after the
account of user A has been deleted, the same username can be reused for
a newly created user B.
The persistentId is calculated by the uApprove plugin as salted hash
over the SP, the IdP and the username. The SWITCH AAI strongly
recommends to use a fixed salt for this calculation (see [1], section
11.1.3 (2)). Assuming user B registered with the same SP that was
already used by user A, the persistentId for these users would be the same.
We cannot be sure that an SP removed user A from his database after a
reasonable amount of time. This faces us with at least two major problems:
First, an SP querying for updates of user A's attributes (using an
AttributeQuery and the persistentId) would get the attribute set of user B.
Second, while logging in to the SP, user B is recognized as the same
user due to both users sharing the same persistentId. User A could have
saved data on the SP's datastore using his account that would then be
available to user B. The SP could also have stored some user details
(e.g. account balance) regarding user A. These would then be mapped to
user B.
A solution that we came up with was to change the salt used while
generating the persistentId at regular intervals. A similar approach
would be to use a random salt each time a new persistentId is calculated.
However, this would conflict with the SWITCH AAI's recommendation. In
case of a random salt, it seems deep reprogramming of the uApprove
plugin would be needed, which is not an option.
Did anybody experience similar problems? Any recommendations?
Best regards
Ramon Pfeiffer
[1]: https://www.switch.ch/aai/docs/shibboleth/SWITCH/latest/idp/deployment/
--
Universität Tübingen
Zentrum für Datenverarbeitung
E-Mail: ramon.pfeiffer at uni-tuebingen.de
Telefon: +49-7071-29-70204
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5054 bytes
Desc: S/MIME Cryptographic Signature
Url : http://shibboleth.net/pipermail/users/attachments/20141022/80158063/attachment.bin
More information about the users
mailing list