SAML2NameID deprecated (and therefore eduPersonTargetedId?)

Mon Jun 5 09:31:29 UTC 2023

I wonder if, in the UK, we could get some support from the UK Federation/JISC on this? Our v4 installation has this same issue.

_________________________________________________

Dave Perry
Application Analyst  |  Innovation & Technology Services

York St John University

Lord Mayor’s Walk, York, YO31 7EX
T: +44(0)1904 876 0000
email at yorksj.ac.uk<mailto:email at yorksj.ac.uk>  |  www.yorksj.ac.uk<http://www.yorksj.ac.uk>

[cid:f064561d-8051-4753-bbd6-83b89119954a]

________________________________
From: users <users-bounces at shibboleth.net> on behalf of Silke Meyer <smeyer at dfn.de>
Sent: 05 June 2023 10:10
To: users at shibboleth.net <users at shibboleth.net>
Subject: Re: SAML2NameID deprecated (and therefore eduPersonTargetedId?)

Caution: Please take care when clicking on links or opening attachments in emails that originate from outside of the university. When in doubt, contact the ITS service desk.

Hi Scott, hi all,

coming back to this older thread about the deprecation of SAML2NameID...

> The scoped pairwise ID subject Attribute isn't the replacement for this, it was replaced a decade ago by simply saying "use a SAML 2.0 persistent NameID". The Shibboleth SP has always treated those as functionally identical down to the syntax in the exported variable.
>
> If there's honestly some crazy piece of code out there that can handle an XML-valued AttributeValue (which nothing ever handled beyond this except for our SP) and can't handle a NameID, then a) that's insane and b) it should get fixed.
>
> I would like to remove this from the IdP, yes. Failing that, moving it into an unsupported plugin that we will not release ourselves but would make the code available for would be my preferred plan B, because if we don't force this, nobody seems willing to do anything about it. It's past time.

With the release of IdP v5 ahead I was wondering how to deal with the
situation resp. what advice to give to our community:

We have been spreading the word about using the persistentID for years
but as of today there are still almost 80 Service Providers in DFN-AAI
who have labeled ePTID as a required attribute (not counting local SPs
in the organizations). Not every SP operator publishes their required
attributes so even more could be affected by the deprecation.

Removing it would certainly cause a considerable amount of support
requests here. I guess I would have a hard time explaining that there is
an unsupported and unreleased plugin that a relevant part of our 350+
Shibboleth IdPs would then need to use those ~80 SPs.

Afaik, the SAML2NameID is still part of the code right now. So I was
wondering if there was maybe a plan C, e.g. let it run the way it is in
v4. Is that an option?

Best, Silke

--
Silke Meyer

DFN-Verein | Verein zur Förderung eines Deutschen Forschungsnetzes e.V.
Alexanderplatz 1 | 10178 Berlin | Germany

Phone: +49 30 884299-306 | Mail: smeyer at dfn.de

Vorstand:  Prof. Dr. O. Kao, Dr. R. Bockholt, C. Zens
Geschäftsführer: Dr. C. Grimm, J. Pattloch
AG Charlottenburg VR7729B | USt.-ID. DE 136623822

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230605/9a4c0202/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-5utgwhwc.png
Type: image/png
Size: 12155 bytes
Desc: Outlook-5utgwhwc.png
URL: <http://shibboleth.net/pipermail/users/attachments/20230605/9a4c0202/attachment.png>