dvn-auth February 2015

dvn-auth@lists.iq.harvard.edu

3 participants
3 discussions

Shibboleth persistent identifier: persistent-id vs. eppn vs. ePTID vs. NameID

by Philip Durbin

Hello! Question for all you Shibboleth experts out there... If I'd like to take one of the attributes and store in in Dataverse as a persistent identifier? Which one should I use? >From playing around with the IdP at http://testshib.org I assumed "persistent-id" would be the one to use. It looks nice and unique: persistent-id: https://idp.testshib.org/idp/shibboleth!https://apitest.dataverse.org/shibb… However! I'm hearing that "persistent-id" may not be so commonly used... that perhaps in Higher Ed anyway "eppn" might be used instead. The weird thing to me about "eppn", however is that (at least from TestShib) there's a username in it: eppn: myself(a)testshib.org Furthermore, eppn is allowed to change (!) according to https://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-dir-… "Values of eduPersonPrincipalName are often, but not required to be, human-friendly, and may change as a result of various business processes. They may also be reassigned after a locally-defined period of dormancy. Applications that require a guarantee of non-reassignment and more stability, but can tolerate values unfriendly (and unknown) to humans should refer to the eduPersonTargetedID attribute." So... maybe we should require eduPersonTargetedID (also known as ePTID) instead... But then I checked in with a non-Higher Ed person, and he uses Assertion -> Subject -> NameID. It looks like this: <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">user1</saml2:NameID> It's got "persistent" in it, which I like. :) >From what I can tell from docs above "[ePTID] is an abstracted version of [NameID]" anyway, so maybe I should just require NameID so non-Higher Ed people aren't confused. Of course, I may just be confusing myself... I hope it's clear what I'm asking... What we need on the Dataverse side is to but something in the "FIXME" below: permanentId = httpServletRequest.getAttribute("FIXME"); Should the "FIXME" be "NameID" perhaps? "eppn"? Something else? Please advise. We'll be using this value to find the Shib users in the system each time they log in. Thanks! Phil p.s. Chats I just had (summarized above): http://irclog.perlgeek.de/shibboleth/2014-07-29 Time Nick Message 19:57 pdurbin hsnopi or rkeene do you use "persistent-id" for anything? 19:59 hsnopi not taht I am specifically aware of. I think it is used to give a user a permenant id but i could be very very wrong 19:59 pdurbin that's how I was thinking I'd use it 19:59 pdurbin but I'm also hearing that eppn is preferred, maybe? 20:00 pdurbin the IdP at http://testshib.org sends both 20:00 hsnopi that is so far out of my league 20:00 pdurbin eppn: myself(a)testshib.org 20:00 pdurbin persistent-id: https://idp.testshib.org/idp/shibboleth!https://apitest.dataverse.org/shibb… 20:01 pdurbin persistent-id seemed "safer" to use... more unique... 20:01 hsnopi i seem to vaguely recall something about eppn going away at soem point. 20:01 pdurbin hmm http://www.evanchooly.com/logs/%2523glassfish/2014-07-29 pdurbin whartung: persistent-id or eppn? whartung pdurbin: eh? pdurbin heh pdurbin whartung: http://irclog.perlgeek.de/shibboleth/2014-07-29 whartung frankly, I don't recognize either of those :) pdurbin whartung: what attribute do you use to uniquely identify a user who has logged in via shibboleth? whartung Subject->NAmeID pdurbin huh pdurbin I'm not used to seeing "->" in an attribute whartung Assertion -> Subject -> NameID pdurbin oh oh whartung no, it's the heirarchy pdurbin whartung: you're giving me the xpath ;) whartung yea pdurbin cool. thanks pdurbin NameID. hmm pdurbin commonly used? whartung Apparently pdurbin ok. eppn comes from higher ed. eduPersonPrincipalName https://www.incommon.org/federation/attributesummary.html whartung ok whartung yea, we're not in that domain whartung generic Response of ours: http://pastie.org/private/oay0trwmvrw9e0haekqmlw pdurbin ok so <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">kayyagari</saml2:NameID> pdurbin interesting whartung right pdurbin so I'm seeing "persistent" there and under "longevity" at https://wiki.shibboleth.net/confluence/display/SHIB2/NameIDAttributes pdurbin "persistent: identifiers which are good for a long period of time (e.g. years) but which the IdP may revoke" whartung yea, perahps we should use "permanent" instead pdurbin right -- Philip Durbin Software Developer for http://dataverse.org http://www.iq.harvard.edu/people/philip-durbin

9 years, 1 month

Announcing the Dataverse Auth Community Group

by Ben Companjen

Hi all, You may have seen the general information about the formation of Community Groups for Dataverse at [1]. "(...) Community Groups will be formed during the /First Annual Dataverse Community Meeting (June 9-11)/ <http://community.dataverse.org/community-meetings/2015/index.html#community…> and will report back to the /Dataverse Advisory Team/ <http://community.dataverse.org/advisory-team.html#advisory-team>." [1]: http://community.dataverse.org/community-groups/index.html " The Dataverse Advisory team advises the Dataverse team at IQSS, which includes PI Gary King, Project Lead Mercè Crosas and members of the Data Science team at IQSS (http://datascience.iq.harvard.edu/team), on all significant general areas involving the Dataverse software application, with a focus on technical advice." [2] [2]: http://community.dataverse.org/advisory-team.html#advisory-team One Community Group you as a subscriber to this list may be interested in, is Authentication and Authorization ("Auth") [3], which is coordinated by Philip Durbin and me. The group will discuss 'auth' functional and technical questions and requirements, use cases, etc. and report to the Advisory Team who can advise about these topics. For example, a major current topic is Shibboleth support in Dataverse 4. DDN (me :)) is thinking about assigning roles to specific dataverses to users based on SAML attributes. We are, naturally, interested in other aspects or ways of authenticating and authorizing too. [3]: http://community.dataverse.org/community-groups/auth.html On a meta level, the community groups are still / yet to be discussed. We expect that to happen between now and the end of the First Community Meeting in June. You don't need to wait for the meeting in June to join the discussion about auth, of course :) If you are interested in being part of the auth group, please let Phil or me know via email and we'll make sure you get the details. Of course, news about the auth group will be posted here and in #dataverse on Freenode IRC as well. Looking forward to talk to/chat with/see/.. you! Phil and Ben Ben Companjen Information systems engineer / Information manager ben.companjen(a)dans.knaw.nl +31 6 1334 9717 Skype: bencompanjen Data Archiving and Networked Services (DANS) DANS promotes sustained access to digital research data. See www.dans.knaw.nl for more information and contact details. DANS is an institute of KNAW and NWO. DANS | Anna van Saksenlaan 51 | 2593 HW The Hague | P.O. Box 93067 | 2509 AB The Hague | +31 70 349 44 50 | info(a)dans.knaw.nl | www.dans.knaw.nl

9 years, 2 months

Re: [dvn-auth] Shibboleth persistent identifier: persistent-id vs. eppn vs. ePTID vs. NameID (Philip Durbin)

by Erdos, Marlena

Hi Phil, I've comment on your GitHub suggestions related to the identifer/identity attributes of eppn (eduPersonPrincipalName), ePTID (eduPersonTargetedID), and NameID. I post it here for others. Hi Phil, I think you are misunderstanding the purpose of the these identity-oriented attributes when you talk about "ordering." Either that or I'm mis-understanding your business case :-). Generally, identity and identifier attributes are used for account-finding and also authorization. And other attributes (like roles and groups) also factor into authorization. There's not really an "ordering" but rather a question of "purpose" for each attribute. An IdP is generally only going to send you one of the attributes you list for a given user. Its purpose is "account-finding" if applicable, and/or "identifier-based authorization." Thx, Marlena 617-872-9736 -----Original Message----- From: "dvn-auth-request(a)lists.iq.harvard.edu<mailto:dvn-auth-request@lists.iq.harvard.edu>" <dvn-auth-request(a)lists.iq.harvard.edu<mailto:dvn-auth-request@lists.iq.harvard.edu>> Reply-To: "dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>" <dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>> Date: Thursday, February 5, 2015 at 12:00 PM To: "dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>" <dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>> Subject: dvn-auth Digest, Vol 8, Issue 1 Send dvn-auth mailing list submissions to dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu> To subscribe or unsubscribe via the World Wide Web, visit https://lists.iq.harvard.edu/mailman/listinfo/dvn-auth or, via email, send a message with subject or body 'help' to dvn-auth-request(a)lists.iq.harvard.edu<mailto:dvn-auth-request@lists.iq.harvard.edu> You can reach the person managing the list at dvn-auth-owner(a)lists.iq.harvard.edu<mailto:dvn-auth-owner@lists.iq.harvard.edu> When replying, please edit your Subject line so it is more specific than "Re: Contents of dvn-auth digest..." Today's Topics: 1. Re: Shibboleth persistent identifier: persistent-id vs. eppn vs. ePTID vs. NameID (Philip Durbin) ---------------------------------------------------------------------- Message: 1 Date: Thu, 5 Feb 2015 10:45:03 -0500 From: Philip Durbin <philip_durbin(a)harvard.edu<mailto:philip_durbin@harvard.edu>> To: "dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>" <dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>> Subject: Re: [dvn-auth] Shibboleth persistent identifier: persistent-id vs. eppn vs. ePTID vs. NameID Message-ID: <CABbxx8FF9KREf_Z7usdKc7Gd6fdWyj48J7_kEq8zg4WG4oT7tw(a)mail.gmail.com<mailto:CABbxx8FF9KREf_Z7usdKc7Gd6fdWyj48J7_kEq8zg4WG4oT7tw@mail.gmail.com>> Content-Type: text/plain; charset=UTF-8 Happy New Year, dvn-auth list! :) I just created a ticket about eppn vs. ePTID vs. NameID at https://github.com/IQSS/dataverse/issues/1422 Comments there or here are certainly welcome! Phil On Wed, Jul 30, 2014 at 1:39 PM, Philip Durbin <philip_durbin(a)harvard.edu<mailto:philip_durbin@harvard.edu>> wrote: Hi Leonhard! Thanks for your reply! I'm very curious what your Shibboleth federation hotline has to say. Meanwhile, a little bird on this list pointed me to a "Cloud Services Cookbook" recorded only a couple weeks ago that seems to have a ton of related advice: http://www.incommon.org/iamonline/ I'll copy the DO and DON'T bullet points from the slides and in our heads we can all translate "Vendor" to "Dataverse" and "Campus" to all the IdP providers out there: http://www.incommon.org/docs/iamonline/20140716_IAMOnline.pdf Slide 11 Challenges: Network IDs and Email Addresses CONSIDER the relationship between ePPN and mail. Campus: DO socialize the use of organizational email addresses. Campus: DO make eduPersonPrincipalName useful. Vendor: DO be cautious about using mail as a unique identifier Slide 12 Challenges: Scoped and Unscoped Identifiers Campus: DO work with service providers to understand how data is being interpreted. Vendor: DON'T assume that a simple username is unique across domains and subdomains. Slide 19 Challenge: Usernames Change ?What's in a name? ...a rose by any other name would smell as sweet" -?Act II, Scene II. Romeo and Juliet Vendor: DO be prepared for username changes. Campus: DO standardize internally on a stable "serial number" for users. Campus: DO support a varied set of identifiers. DON'T be afraid of eduPersonTargetedID. The last slide links to https://carmenwiki.osu.edu/display/CICIDM/Current+Working+Draft+of+Cloud+Se… which seems to have similar advice but not in bullet form. :) Much more detail, I mean. So! My takeaway from all this is that I would very much like the IdPs to send Dataverse a "stable 'serial number' for users". That's the thing I want to store in the database on the Dataverse side. Can all the IdPs out there send me this? Phil On Wed, Jul 30, 2014 at 3:00 AM, Leonhard Maylein <Maylein(a)ub.uni-heidelberg.de<mailto:Maylein@ub.uni-heidelberg.de>> wrote: Hi, I'm not really a shibboleth expert. As far as I can see, ePTID is used mainly in Shibboleth 1.x/SAML 1.x. Shibboleth 2.x uses the persistentNameID (see https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPTargetedID) Shibboleth 1.x is no longer supported (see https://wiki.shibboleth.net/confluence/display/SHIB/WebHome). From a data privacy point of view, eppn could be problematic. PersistentNameIDs are pseudonyms. But I'm not sure if every IdP supports the persitentNameID, although there are a lot of service providers (especially publishers) which use this ID for personalization). Maybe you could make it configurable which attribute/id is used? To be sure, I will forward your email to our shibboleth federation hotline. Leonhard Maylein Am 29.07.2014 um 23:15 schrieb Philip Durbin: Hello! Question for all you Shibboleth experts out there... If I'd like to take one of the attributes and store in in Dataverse as a persistent identifier? Which one should I use? From playing around with the IdP at http://testshib.org I assumed "persistent-id" would be the one to use. It looks nice and unique: persistent-id: https://idp.testshib.org/idp/shibboleth!https://apitest.dataverse.org/shibb… However! I'm hearing that "persistent-id" may not be so commonly used... that perhaps in Higher Ed anyway "eppn" might be used instead. The weird thing to me about "eppn", however is that (at least from TestShib) there's a username in it: eppn: myself(a)testshib.org<mailto:myself@testshib.org> Furthermore, eppn is allowed to change (!) according to https://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-dir-… "Values of eduPersonPrincipalName are often, but not required to be, human-friendly, and may change as a result of various business processes. They may also be reassigned after a locally-defined period of dormancy. Applications that require a guarantee of non-reassignment and more stability, but can tolerate values unfriendly (and unknown) to humans should refer to the eduPersonTargetedID attribute." So... maybe we should require eduPersonTargetedID (also known as ePTID) instead... But then I checked in with a non-Higher Ed person, and he uses Assertion -> Subject -> NameID. It looks like this: <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">user1</saml2:NameID> It's got "persistent" in it, which I like. :) From what I can tell from docs above "[ePTID] is an abstracted version of [NameID]" anyway, so maybe I should just require NameID so non-Higher Ed people aren't confused. Of course, I may just be confusing myself... I hope it's clear what I'm asking... What we need on the Dataverse side is to but something in the "FIXME" below: permanentId = httpServletRequest.getAttribute("FIXME"); Should the "FIXME" be "NameID" perhaps? "eppn"? Something else? Please advise. We'll be using this value to find the Shib users in the system each time they log in. Thanks! Phil p.s. Chats I just had (summarized above): http://irclog.perlgeek.de/shibboleth/2014-07-29 Time Nick Message 19:57 pdurbin hsnopi or rkeene do you use "persistent-id" for anything? 19:59 hsnopi not taht I am specifically aware of. I think it is used to give a user a permenant id but i could be very very wrong 19:59 pdurbin that's how I was thinking I'd use it 19:59 pdurbin but I'm also hearing that eppn is preferred, maybe? 20:00 pdurbin the IdP at http://testshib.org sends both 20:00 hsnopi that is so far out of my league 20:00 pdurbin eppn: myself(a)testshib.org<mailto:myself@testshib.org> 20:00 pdurbin persistent-id: https://idp.testshib.org/idp/shibboleth!https://apitest.dataverse.org/shibb… 20:01 pdurbin persistent-id seemed "safer" to use... more unique... 20:01 hsnopi i seem to vaguely recall something about eppn going away at soem point. 20:01 pdurbin hmm http://www.evanchooly.com/logs/%2523glassfish/2014-07-29 pdurbin whartung: persistent-id or eppn? whartung pdurbin: eh? pdurbin heh pdurbin whartung: http://irclog.perlgeek.de/shibboleth/2014-07-29 whartung frankly, I don't recognize either of those :) pdurbin whartung: what attribute do you use to uniquely identify a user who has logged in via shibboleth? whartung Subject->NAmeID pdurbin huh pdurbin I'm not used to seeing "->" in an attribute whartung Assertion -> Subject -> NameID pdurbin oh oh whartung no, it's the heirarchy pdurbin whartung: you're giving me the xpath ;) whartung yea pdurbin cool. thanks pdurbin NameID. hmm pdurbin commonly used? whartung Apparently pdurbin ok. eppn comes from higher ed. eduPersonPrincipalName https://www.incommon.org/federation/attributesummary.html whartung ok whartung yea, we're not in that domain whartung generic Response of ours: http://pastie.org/private/oay0trwmvrw9e0haekqmlw pdurbin ok so <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">kayyagari</saml2:NameID> pdurbin interesting whartung right pdurbin so I'm seeing "persistent" there and under "longevity" at https://wiki.shibboleth.net/confluence/display/SHIB2/NameIDAttributes pdurbin "persistent: identifiers which are good for a long period of time (e.g. years) but which the IdP may revoke" whartung yea, perahps we should use "permanent" instead pdurbin right _______________________________________________ dvn-auth mailing list dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu> To unsubscribe from this list or get other information: https://lists.iq.harvard.edu/mailman/listinfo/dvn-auth _______________________________________________ dvn-auth mailing list dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu> To unsubscribe from this list or get other information: https://lists.iq.harvard.edu/mailman/listinfo/dvn-auth -- Philip Durbin Software Developer for http://dataverse.org http://www.iq.harvard.edu/people/philip-durbin -- Philip Durbin Software Developer for http://dataverse.org http://www.iq.harvard.edu/people/philip-durbin ------------------------------ _______________________________________________ dvn-auth mailing list dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu> To unsubscribe from this list or get other information: https://lists.iq.harvard.edu/mailman/listinfo/dvn-auth End of dvn-auth Digest, Vol 8, Issue 1 **************************************

9 years, 2 months

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

dvn-auth February 2015