Reused usernames and persistentIds

Ramon Pfeiffer ramon.pfeiffer at uni-tuebingen.de
Wed Oct 22 12:27:45 EDT 2014


Dear all,

at our university, we are faced with the necessity of reusing usernames 
after a given timespan (several years). This means, some years after the 
account of user A has been deleted, the same username can be reused for 
a newly created user B.
The persistentId is calculated by the uApprove plugin as salted hash 
over the SP, the IdP and the username. The SWITCH AAI strongly 
recommends to use a fixed salt for this calculation (see [1], section 
11.1.3 (2)). Assuming user B registered with the same SP that was 
already used by user A, the persistentId for these users would be the same.

We cannot be sure that an SP removed user A from his database after a 
reasonable amount of time. This faces us with at least two major problems:
First, an SP querying for updates of user A's attributes (using an 
AttributeQuery and the persistentId) would get the attribute set of user B.
Second, while logging in to the SP, user B is recognized as the same 
user due to both users sharing the same persistentId. User A could have 
saved data on the SP's datastore using his account that would then be 
available to user B. The SP could also have stored some user details 
(e.g. account balance) regarding user A. These would then be mapped to 
user B.

A solution that we came up with was to change the salt used while 
generating the persistentId at regular intervals. A similar approach 
would be to use a random salt each time a new persistentId is calculated.
However, this would conflict with the SWITCH AAI's recommendation. In 
case of a random salt, it seems deep reprogramming of the uApprove 
plugin would be needed, which is not an option.

Did anybody experience similar problems? Any recommendations?

Best regards
Ramon Pfeiffer


[1]: https://www.switch.ch/aai/docs/shibboleth/SWITCH/latest/idp/deployment/

--
Universität Tübingen
Zentrum für Datenverarbeitung

E-Mail: ramon.pfeiffer at uni-tuebingen.de
Telefon: +49-7071-29-70204


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5054 bytes
Desc: S/MIME Cryptographic Signature
Url : http://shibboleth.net/pipermail/users/attachments/20141022/80158063/attachment.bin 


More information about the users mailing list