The definition of principal

Mike Flynn shibbolethlynda at yahoo.com
Fri Sep 26 11:59:12 EDT 2014 

OK, Their MD says persistent:     <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
So then my final question becomes - What do I need to do to make nameID pass as one of the request headers back to my protected resource?


I am currently having a conversation with SuccessFactors / BizX with
regard to their requiring that we use nameID as a unique, immutable ID
token for the user.


The basic answer is, please identify the SAML standard format you want to
use. If they intend to use "persistent", then they aren't doing anything
but what Shibboleth already does by default. If they say something else,
they're either misusing another format, using unspecified, or very less
likely actually minting a custom format.

The problem is interoperability and having things "just work" with
well-defined semantics, and while higher ed/EduPerson isn't perfect, it's
about the only game in town. The rest of the market has no such standard
to follow so they just make it all up, or in most cases use unspecified.


Is this appropriate?


Yes, but what's not appropriate is treating the field as some kind of
one-off agreement. If you use NameID, you should have a Format to point to
that has standard semantics.


If appropriate, can I configure my SP (v2.3.1) to pass nameID to the
protected resource in some fashion?


Yes, but what you can't do, for example, is map a given Format (particular
the aforementioned "unspecified") to a different header for each IdP. And
that's the risk, when you don't have clear definitions in play, you may
end up with two IdPs trying to use the same Format when they don't provide
the same guarantees around the data.

-- Scott
 

     On Friday, September 26, 2014 7:54 AM, Mike Flynn <shibbolethlynda at yahoo.com> wrote:
   

 I am currently having a conversation with SuccessFactors / BizX with regard to their requiring that we use nameID as a unique, immutable ID token for the user.  Typically we use things like targeted-id/eppn/UID etc - Attributes passed to us.  I am trying to understand the following:
Is this appropriate?If appropriate, can I configure my SP (v2.3.1) to pass nameID to the protected resource in some fashion?  Should I expect Successfactors to pass it as an attribute?
Thanks
 

     On Thursday, September 25, 2014 12:40 PM, Mike Flynn <shibbolethlynda at yahoo.com> wrote:
   

 In the OASIS docs, I see this:
The optional <Subject> element specifies the principal that is the subject of all of the (zero or more)statements in the assertion.
In the glossary it is defined as this:
A system entity whose identity can be authenticated. [X.811]

What exactly is meant by system entity?  Does the principal in an assertion have any association with the user specific data being passed as attributes?
Thanks.

    

   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140926/2beae087/attachment-0001.html

More information about the users mailing list