Hello!
Question for all you Shibboleth experts out there... If I'd like to
take one of the attributes and store in in Dataverse as a persistent
identifier? Which one should I use?
>From playing around with the IdP at http://testshib.org I assumed
"persistent-id" would be the one to use. It looks nice and unique:
persistent-id: https://idp.testshib.org/idp/shibboleth!https://apitest.dataverse.org/shibb…
However! I'm hearing that "persistent-id" may not be so commonly
used... that perhaps in Higher Ed anyway "eppn" might be used instead.
The weird thing to me about "eppn", however is that (at least from
TestShib) there's a username in it:
eppn: myself(a)testshib.org
Furthermore, eppn is allowed to change (!) according to
https://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-dir-…
"Values of eduPersonPrincipalName are often, but not required to be,
human-friendly, and may change as a result of various business
processes. They may also be reassigned after a locally-defined period
of dormancy. Applications that require a guarantee of non-reassignment
and more stability, but can tolerate values unfriendly (and unknown)
to humans should refer to the eduPersonTargetedID attribute."
So... maybe we should require eduPersonTargetedID (also known as
ePTID) instead...
But then I checked in with a non-Higher Ed person, and he uses
Assertion -> Subject -> NameID. It looks like this:
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">user1</saml2:NameID>
It's got "persistent" in it, which I like. :)
>From what I can tell from docs above "[ePTID] is an abstracted version
of [NameID]" anyway, so maybe I should just require NameID so
non-Higher Ed people aren't confused.
Of course, I may just be confusing myself... I hope it's clear what
I'm asking... What we need on the Dataverse side is to but something
in the "FIXME" below:
permanentId = httpServletRequest.getAttribute("FIXME");
Should the "FIXME" be "NameID" perhaps? "eppn"? Something else? Please advise.
We'll be using this value to find the Shib users in the system each
time they log in.
Thanks!
Phil
p.s. Chats I just had (summarized above):
http://irclog.perlgeek.de/shibboleth/2014-07-29
Time Nick Message
19:57 pdurbin hsnopi or rkeene do you use "persistent-id" for anything?
19:59 hsnopi not taht I am specifically aware of. I think it is used
to give a user a permenant id but i could be very very wrong
19:59 pdurbin that's how I was thinking I'd use it
19:59 pdurbin but I'm also hearing that eppn is preferred, maybe?
20:00 pdurbin the IdP at http://testshib.org sends both
20:00 hsnopi that is so far out of my league
20:00 pdurbin eppn: myself(a)testshib.org
20:00 pdurbin persistent-id:
https://idp.testshib.org/idp/shibboleth!https://apitest.dataverse.org/shibb…
20:01 pdurbin persistent-id seemed "safer" to use... more unique...
20:01 hsnopi i seem to vaguely recall something about eppn going away
at soem point.
20:01 pdurbin hmm
http://www.evanchooly.com/logs/%2523glassfish/2014-07-29
pdurbin whartung: persistent-id or eppn?
whartung pdurbin: eh?
pdurbin heh
pdurbin whartung: http://irclog.perlgeek.de/shibboleth/2014-07-29
whartung frankly, I don't recognize either of those :)
pdurbin whartung: what attribute do you use to uniquely identify a
user who has logged in via shibboleth?
whartung Subject->NAmeID
pdurbin huh
pdurbin I'm not used to seeing "->" in an attribute
whartung Assertion -> Subject -> NameID
pdurbin oh oh
whartung no, it's the heirarchy
pdurbin whartung: you're giving me the xpath ;)
whartung yea
pdurbin cool. thanks
pdurbin NameID. hmm
pdurbin commonly used?
whartung Apparently
pdurbin ok. eppn comes from higher ed. eduPersonPrincipalName
https://www.incommon.org/federation/attributesummary.html
whartung ok
whartung yea, we're not in that domain
whartung generic Response of ours:
http://pastie.org/private/oay0trwmvrw9e0haekqmlw
pdurbin ok so <saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">kayyagari</saml2:NameID>
pdurbin interesting
whartung right
pdurbin so I'm seeing "persistent" there and under "longevity" at
https://wiki.shibboleth.net/confluence/display/SHIB2/NameIDAttributes
pdurbin "persistent: identifiers which are good for a long period of
time (e.g. years) but which the IdP may revoke"
whartung yea, perahps we should use "permanent" instead
pdurbin right
--
Philip Durbin
Software Developer for http://dataverse.orghttp://www.iq.harvard.edu/people/philip-durbin
Hi all,
You may have seen the general information about the formation of
Community Groups for Dataverse at [1].
"(...) Community Groups will be formed during the /First Annual
Dataverse Community Meeting (June 9-11)/
<http://community.dataverse.org/community-meetings/2015/index.html#community…>
and will report back to the /Dataverse Advisory Team/
<http://community.dataverse.org/advisory-team.html#advisory-team>."
[1]: http://community.dataverse.org/community-groups/index.html
" The Dataverse Advisory team advises the Dataverse team at IQSS, which
includes PI Gary King, Project Lead Mercè Crosas and members of the Data
Science team at IQSS (http://datascience.iq.harvard.edu/team), on all
significant general areas involving the Dataverse software application,
with a focus on technical advice." [2]
[2]: http://community.dataverse.org/advisory-team.html#advisory-team
One Community Group you as a subscriber to this list may be interested
in, is Authentication and Authorization ("Auth") [3], which is
coordinated by Philip Durbin and me.
The group will discuss 'auth' functional and technical questions and
requirements, use cases, etc. and report to the Advisory Team who can
advise about these topics. For example, a major current topic is
Shibboleth support in Dataverse 4. DDN (me :)) is thinking about
assigning roles to specific dataverses to users based on SAML
attributes. We are, naturally, interested in other aspects or ways of
authenticating and authorizing too.
[3]: http://community.dataverse.org/community-groups/auth.html
On a meta level, the community groups are still / yet to be discussed.
We expect that to happen between now and the end of the First Community
Meeting in June. You don't need to wait for the meeting in June to join
the discussion about auth, of course :)
If you are interested in being part of the auth group, please let Phil
or me know via email and we'll make sure you get the details. Of course,
news about the auth group will be posted here and in #dataverse on
Freenode IRC as well.
Looking forward to talk to/chat with/see/.. you!
Phil and Ben
Ben Companjen
Information systems engineer / Information manager
ben.companjen(a)dans.knaw.nl
+31 6 1334 9717
Skype: bencompanjen
Data Archiving and Networked Services (DANS)
DANS promotes sustained access to digital research data. See
www.dans.knaw.nl for more information and contact details. DANS is an
institute of KNAW and NWO.
DANS | Anna van Saksenlaan 51 | 2593 HW The Hague | P.O. Box 93067 |
2509 AB The Hague | +31 70 349 44 50 | info(a)dans.knaw.nl | www.dans.knaw.nl
Hi Phil,
I've comment on your GitHub suggestions related to the identifer/identity attributes of eppn (eduPersonPrincipalName), ePTID (eduPersonTargetedID), and NameID.
I post it here for others.
Hi Phil, I think you are misunderstanding the purpose of the these identity-oriented attributes when you talk about "ordering." Either that or I'm mis-understanding your business case :-). Generally, identity and identifier attributes are used for account-finding and also authorization. And other attributes (like roles and groups) also factor into authorization. There's not really an "ordering" but rather a question of "purpose" for each attribute. An IdP is generally only going to send you one of the attributes you list for a given user. Its purpose is "account-finding" if applicable, and/or "identifier-based authorization."
Thx,
Marlena
617-872-9736
-----Original Message-----
From: "dvn-auth-request(a)lists.iq.harvard.edu<mailto:dvn-auth-request@lists.iq.harvard.edu>" <dvn-auth-request(a)lists.iq.harvard.edu<mailto:dvn-auth-request@lists.iq.harvard.edu>>
Reply-To: "dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>" <dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>>
Date: Thursday, February 5, 2015 at 12:00 PM
To: "dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>" <dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>>
Subject: dvn-auth Digest, Vol 8, Issue 1
Send dvn-auth mailing list submissions to
dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.iq.harvard.edu/mailman/listinfo/dvn-auth
or, via email, send a message with subject or body 'help' to
dvn-auth-request(a)lists.iq.harvard.edu<mailto:dvn-auth-request@lists.iq.harvard.edu>
You can reach the person managing the list at
dvn-auth-owner(a)lists.iq.harvard.edu<mailto:dvn-auth-owner@lists.iq.harvard.edu>
When replying, please edit your Subject line so it is more specific
than "Re: Contents of dvn-auth digest..."
Today's Topics:
1. Re: Shibboleth persistent identifier: persistent-id vs. eppn
vs. ePTID vs. NameID (Philip Durbin)
----------------------------------------------------------------------
Message: 1
Date: Thu, 5 Feb 2015 10:45:03 -0500
From: Philip Durbin <philip_durbin(a)harvard.edu<mailto:philip_durbin@harvard.edu>>
To: "dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>" <dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>>
Subject: Re: [dvn-auth] Shibboleth persistent identifier:
persistent-id vs. eppn vs. ePTID vs. NameID
Message-ID:
<CABbxx8FF9KREf_Z7usdKc7Gd6fdWyj48J7_kEq8zg4WG4oT7tw(a)mail.gmail.com<mailto:CABbxx8FF9KREf_Z7usdKc7Gd6fdWyj48J7_kEq8zg4WG4oT7tw@mail.gmail.com>>
Content-Type: text/plain; charset=UTF-8
Happy New Year, dvn-auth list! :)
I just created a ticket about eppn vs. ePTID vs. NameID at
https://github.com/IQSS/dataverse/issues/1422
Comments there or here are certainly welcome!
Phil
On Wed, Jul 30, 2014 at 1:39 PM, Philip Durbin
<philip_durbin(a)harvard.edu<mailto:philip_durbin@harvard.edu>> wrote:
Hi Leonhard!
Thanks for your reply! I'm very curious what your Shibboleth
federation hotline has to say.
Meanwhile, a little bird on this list pointed me to a "Cloud Services
Cookbook" recorded only a couple weeks ago that seems to have a ton of
related advice: http://www.incommon.org/iamonline/
I'll copy the DO and DON'T bullet points from the slides and in our
heads we can all translate "Vendor" to "Dataverse" and "Campus" to all
the IdP providers out there:
http://www.incommon.org/docs/iamonline/20140716_IAMOnline.pdf
Slide 11
Challenges: Network IDs and Email Addresses
CONSIDER the relationship between ePPN and mail.
Campus: DO socialize the use of organizational email addresses.
Campus: DO make eduPersonPrincipalName useful.
Vendor: DO be cautious about using mail as a unique identifier
Slide 12
Challenges: Scoped and Unscoped Identifiers
Campus: DO work with service providers to understand how data is being
interpreted.
Vendor: DON'T assume that a simple username is unique across domains
and subdomains.
Slide 19
Challenge: Usernames Change
?What's in a name? ...a rose by any other name would smell as sweet"
-?Act II, Scene II. Romeo and Juliet
Vendor: DO be prepared for username changes.
Campus: DO standardize internally on a stable "serial number" for users.
Campus: DO support a varied set of identifiers.
DON'T be afraid of eduPersonTargetedID.
The last slide links to
https://carmenwiki.osu.edu/display/CICIDM/Current+Working+Draft+of+Cloud+Se…
which seems to have similar advice but not in bullet form. :) Much
more detail, I mean.
So! My takeaway from all this is that I would very much like the IdPs
to send Dataverse a "stable 'serial number' for users". That's the
thing I want to store in the database on the Dataverse side. Can all
the IdPs out there send me this?
Phil
On Wed, Jul 30, 2014 at 3:00 AM, Leonhard Maylein
<Maylein(a)ub.uni-heidelberg.de<mailto:Maylein@ub.uni-heidelberg.de>> wrote:
Hi,
I'm not really a shibboleth expert. As far as I can see,
ePTID is used mainly in Shibboleth 1.x/SAML 1.x.
Shibboleth 2.x uses the persistentNameID (see
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPTargetedID)
Shibboleth 1.x is no longer supported (see
https://wiki.shibboleth.net/confluence/display/SHIB/WebHome).
From a data privacy point of view, eppn could be problematic.
PersistentNameIDs are pseudonyms.
But I'm not sure if every IdP supports the persitentNameID,
although there are a lot of service providers (especially publishers)
which use this ID for personalization).
Maybe you could make it configurable which attribute/id is used?
To be sure, I will forward your email to our shibboleth federation
hotline.
Leonhard Maylein
Am 29.07.2014 um 23:15 schrieb Philip Durbin:
Hello!
Question for all you Shibboleth experts out there... If I'd like to
take one of the attributes and store in in Dataverse as a persistent
identifier? Which one should I use?
From playing around with the IdP at http://testshib.org I assumed
"persistent-id" would be the one to use. It looks nice and unique:
persistent-id:
https://idp.testshib.org/idp/shibboleth!https://apitest.dataverse.org/shibb…
However! I'm hearing that "persistent-id" may not be so commonly
used... that perhaps in Higher Ed anyway "eppn" might be used instead.
The weird thing to me about "eppn", however is that (at least from
TestShib) there's a username in it:
eppn: myself(a)testshib.org<mailto:myself@testshib.org>
Furthermore, eppn is allowed to change (!) according to
https://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-dir-…
"Values of eduPersonPrincipalName are often, but not required to be,
human-friendly, and may change as a result of various business
processes. They may also be reassigned after a locally-defined period
of dormancy. Applications that require a guarantee of non-reassignment
and more stability, but can tolerate values unfriendly (and unknown)
to humans should refer to the eduPersonTargetedID attribute."
So... maybe we should require eduPersonTargetedID (also known as
ePTID) instead...
But then I checked in with a non-Higher Ed person, and he uses
Assertion -> Subject -> NameID. It looks like this:
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">user1</saml2:NameID>
It's got "persistent" in it, which I like. :)
From what I can tell from docs above "[ePTID] is an abstracted version
of [NameID]" anyway, so maybe I should just require NameID so
non-Higher Ed people aren't confused.
Of course, I may just be confusing myself... I hope it's clear what
I'm asking... What we need on the Dataverse side is to but something
in the "FIXME" below:
permanentId = httpServletRequest.getAttribute("FIXME");
Should the "FIXME" be "NameID" perhaps? "eppn"? Something else? Please
advise.
We'll be using this value to find the Shib users in the system each
time they log in.
Thanks!
Phil
p.s. Chats I just had (summarized above):
http://irclog.perlgeek.de/shibboleth/2014-07-29
Time Nick Message
19:57 pdurbin hsnopi or rkeene do you use "persistent-id" for anything?
19:59 hsnopi not taht I am specifically aware of. I think it is used
to give a user a permenant id but i could be very very wrong
19:59 pdurbin that's how I was thinking I'd use it
19:59 pdurbin but I'm also hearing that eppn is preferred, maybe?
20:00 pdurbin the IdP at http://testshib.org sends both
20:00 hsnopi that is so far out of my league
20:00 pdurbin eppn: myself(a)testshib.org<mailto:myself@testshib.org>
20:00 pdurbin persistent-id:
https://idp.testshib.org/idp/shibboleth!https://apitest.dataverse.org/shibb…
20:01 pdurbin persistent-id seemed "safer" to use... more unique...
20:01 hsnopi i seem to vaguely recall something about eppn going away
at soem point.
20:01 pdurbin hmm
http://www.evanchooly.com/logs/%2523glassfish/2014-07-29
pdurbin whartung: persistent-id or eppn?
whartung pdurbin: eh?
pdurbin heh
pdurbin whartung: http://irclog.perlgeek.de/shibboleth/2014-07-29
whartung frankly, I don't recognize either of those :)
pdurbin whartung: what attribute do you use to uniquely identify a
user who has logged in via shibboleth?
whartung Subject->NAmeID
pdurbin huh
pdurbin I'm not used to seeing "->" in an attribute
whartung Assertion -> Subject -> NameID
pdurbin oh oh
whartung no, it's the heirarchy
pdurbin whartung: you're giving me the xpath ;)
whartung yea
pdurbin cool. thanks
pdurbin NameID. hmm
pdurbin commonly used?
whartung Apparently
pdurbin ok. eppn comes from higher ed. eduPersonPrincipalName
https://www.incommon.org/federation/attributesummary.html
whartung ok
whartung yea, we're not in that domain
whartung generic Response of ours:
http://pastie.org/private/oay0trwmvrw9e0haekqmlw
pdurbin ok so <saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">kayyagari</saml2:NameID>
pdurbin interesting
whartung right
pdurbin so I'm seeing "persistent" there and under "longevity" at
https://wiki.shibboleth.net/confluence/display/SHIB2/NameIDAttributes
pdurbin "persistent: identifiers which are good for a long period of
time (e.g. years) but which the IdP may revoke"
whartung yea, perahps we should use "permanent" instead
pdurbin right
_______________________________________________
dvn-auth mailing list
dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>
To unsubscribe from this list or get other information:
https://lists.iq.harvard.edu/mailman/listinfo/dvn-auth
_______________________________________________
dvn-auth mailing list
dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>
To unsubscribe from this list or get other information:
https://lists.iq.harvard.edu/mailman/listinfo/dvn-auth
--
Philip Durbin
Software Developer for http://dataverse.orghttp://www.iq.harvard.edu/people/philip-durbin
--
Philip Durbin
Software Developer for http://dataverse.orghttp://www.iq.harvard.edu/people/philip-durbin
------------------------------
_______________________________________________
dvn-auth mailing list
dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>
To unsubscribe from this list or get other information:
https://lists.iq.harvard.edu/mailman/listinfo/dvn-auth
End of dvn-auth Digest, Vol 8, Issue 1
**************************************