Cantor, Scott cantor.2 at
Mon Aug 23 19:11:42 UTC 2021

On 8/23/21, 2:48 PM, "users on behalf of IAM David Bantz" <users-bounces at on behalf of dabantz at> wrote:

> A newly licensed vended service Is requesting I release “sis_login_id” attribute. Is this more than a blinkered
> “We’ll make it up as we go along” integration policy?

No, but in their defense, that's an awfully specific semantic. Not even clear what it would mean in a world where most SIS systems are really long past doing direct authentication so what would such a thing even be?

> How are you responding to this or similar requests or demands from SPs?

I'm extremely aggressive to the point of refusing integrations unless the attribute involved is non-standard in nature or very specialized. I have done about 3-4 integrations that required Microsoft's made up names for things under the justification that at least was a rule that would span some number of systems, but I only have about 1 completely one-off case now.

When I do them, it's only after pushing back very hard and often based on my overall relationship with the customer and what other factors might exist. I am not above behaving politically; if there's something in it for me now or in the future, I'm more likely to relax some restrictions, but the official position is "no".

Other than security or basic interoperability issues (e.g., no I'm not going to "ignore" your requested AuthnContext), I only have 3 bright lines: this one, using invalid entityIDs, and misusing NameID Formats. We have preferred ways of doing things, but as long as it's not clearly standardized, I usually adapt.

But there is a valid argument that there is no standard Attribute for what you're talking about. *We* use employeeNumber for the concept of student ID number, so I would tend to ask for that to be used, and I've really never hit anything that was relying on a customer-specific ID that didn't either use the NameID element or take anything you defined. But I couldn't rightly claim that anything that exists now is exactly that meaning, and that's not a "login ID" either. "uid" is the closest but that's obviously not interoperable, so I don't use it.

-- Scott

More information about the users mailing list