ray at decampo.org
Mon Jun 1 15:08:43 UTC 2020
On Mon, Jun 1, 2020 at 10:56 AM Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 6/1/20, 10:49 AM, "users on behalf of Raymond DeCampo" <users-bounces at shibboleth.net on behalf of ray at decampo.org> wrote:
> > Well I have made some progress. I found the attribute-filter.xml file
> > and after entering in the configuration below, I am now getting the
> > "mail" attribute returned from the IdP to the samltest.id SP. Thanks
> > to everyone who took the time to look at my questions.
> Per my response, "mail" is a classic example of the problem.
> That attribute is:
> - multi-valued
> - not defined to be specifically an organizationally-issued email address
> - not guaranteed to be controlled by the IdP itself (it could be something the user enters)
> - often subject to change or even reassignment to different users depending on the policies of the organization
> It, and to a lesser extent the use of emailAddress formatted NameIDs, are a perfect example of what not to do, and yet it's endemic to cloud systems to misuse it that way because the consumer world standardized on it for lack of anything else to use.
> There are any number of people on this list that will happily tell you why email addresses are totally inappropriate to use as an identifier.
Thanks Scott, I have no doubt that it is problematic. For my
production situation I will be in the SP position however, so I'll
need to accept whatever attribute the IdP chooses to send me the user
identifier under. (Unless I am mistaken, does the SP indicate the
desired attributes?) I suspect they will be using "mail" because the
current SSO passes the email address as the REMOTE_USER. I think they
also use the email as the system user identifier.
More information about the users