Hi Phil, I've comment on your GitHub suggestions related to the identifer/identity attributes of eppn (eduPersonPrincipalName), ePTID (eduPersonTargetedID), and NameID. I post it here for others. Hi Phil, I think you are misunderstanding the purpose of the these identity-oriented attributes when you talk about "ordering." Either that or I'm mis-understanding your business case :-). Generally, identity and identifier attributes are used for account-finding and also authorization. And other attributes (like roles and groups) also factor into authorization. There's not really an "ordering" but rather a question of "purpose" for each attribute. An IdP is generally only going to send you one of the attributes you list for a given user. Its purpose is "account-finding" if applicable, and/or "identifier-based authorization." Thx, Marlena 617-872-9736 -----Original Message----- From: "dvn-auth-request@lists.iq.harvard.edu<mailto:dvn-auth-request@lists.iq.harvard.edu>" <dvn-auth-request@lists.iq.harvard.edu<mailto:dvn-auth-request@lists.iq.harvard.edu>> Reply-To: "dvn-auth@lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>" <dvn-auth@lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>> Date: Thursday, February 5, 2015 at 12:00 PM To: "dvn-auth@lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>" <dvn-auth@lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>> Subject: dvn-auth Digest, Vol 8, Issue 1 Send dvn-auth mailing list submissions to dvn-auth@lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu> To subscribe or unsubscribe via the World Wide Web, visit https://lists.iq.harvard.edu/mailman/listinfo/dvn-auth or, via email, send a message with subject or body 'help' to dvn-auth-request@lists.iq.harvard.edu<mailto:dvn-auth-request@lists.iq.harvard.edu> You can reach the person managing the list at dvn-auth-owner@lists.iq.harvard.edu<mailto:dvn-auth-owner@lists.iq.harvard.edu> When replying, please edit your Subject line so it is more specific than "Re: Contents of dvn-auth digest..." Today's Topics: 1. Re: Shibboleth persistent identifier: persistent-id vs. eppn vs. ePTID vs. NameID (Philip Durbin) ---------------------------------------------------------------------- Message: 1 Date: Thu, 5 Feb 2015 10:45:03 -0500 From: Philip Durbin <philip_durbin@harvard.edu<mailto:philip_durbin@harvard.edu>> To: "dvn-auth@lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>" <dvn-auth@lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>> Subject: Re: [dvn-auth] Shibboleth persistent identifier: persistent-id vs. eppn vs. ePTID vs. NameID Message-ID: <CABbxx8FF9KREf_Z7usdKc7Gd6fdWyj48J7_kEq8zg4WG4oT7tw@mail.gmail.com<mailto:CABbxx8FF9KREf_Z7usdKc7Gd6fdWyj48J7_kEq8zg4WG4oT7tw@mail.gmail.com>> Content-Type: text/plain; charset=UTF-8 Happy New Year, dvn-auth list! :) I just created a ticket about eppn vs. ePTID vs. NameID at https://github.com/IQSS/dataverse/issues/1422 Comments there or here are certainly welcome! Phil On Wed, Jul 30, 2014 at 1:39 PM, Philip Durbin <philip_durbin@harvard.edu<mailto:philip_durbin@harvard.edu>> wrote: Hi Leonhard! Thanks for your reply! I'm very curious what your Shibboleth federation hotline has to say. Meanwhile, a little bird on this list pointed me to a "Cloud Services Cookbook" recorded only a couple weeks ago that seems to have a ton of related advice: http://www.incommon.org/iamonline/ I'll copy the DO and DON'T bullet points from the slides and in our heads we can all translate "Vendor" to "Dataverse" and "Campus" to all the IdP providers out there: http://www.incommon.org/docs/iamonline/20140716_IAMOnline.pdf Slide 11 Challenges: Network IDs and Email Addresses CONSIDER the relationship between ePPN and mail. Campus: DO socialize the use of organizational email addresses. Campus: DO make eduPersonPrincipalName useful. Vendor: DO be cautious about using mail as a unique identifier Slide 12 Challenges: Scoped and Unscoped Identifiers Campus: DO work with service providers to understand how data is being interpreted. Vendor: DON'T assume that a simple username is unique across domains and subdomains. Slide 19 Challenge: Usernames Change ?What's in a name? ...a rose by any other name would smell as sweet" -?Act II, Scene II. Romeo and Juliet Vendor: DO be prepared for username changes. Campus: DO standardize internally on a stable "serial number" for users. Campus: DO support a varied set of identifiers. DON'T be afraid of eduPersonTargetedID. The last slide links to https://carmenwiki.osu.edu/display/CICIDM/Current+Working+Draft+of+Cloud+Se… which seems to have similar advice but not in bullet form. :) Much more detail, I mean. So! My takeaway from all this is that I would very much like the IdPs to send Dataverse a "stable 'serial number' for users". That's the thing I want to store in the database on the Dataverse side. Can all the IdPs out there send me this? Phil On Wed, Jul 30, 2014 at 3:00 AM, Leonhard Maylein <Maylein@ub.uni-heidelberg.de<mailto:Maylein@ub.uni-heidelberg.de>> wrote: Hi, I'm not really a shibboleth expert. As far as I can see, ePTID is used mainly in Shibboleth 1.x/SAML 1.x. Shibboleth 2.x uses the persistentNameID (see https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPTargetedID) Shibboleth 1.x is no longer supported (see https://wiki.shibboleth.net/confluence/display/SHIB/WebHome). From a data privacy point of view, eppn could be problematic. PersistentNameIDs are pseudonyms. But I'm not sure if every IdP supports the persitentNameID, although there are a lot of service providers (especially publishers) which use this ID for personalization). Maybe you could make it configurable which attribute/id is used? To be sure, I will forward your email to our shibboleth federation hotline. Leonhard Maylein Am 29.07.2014 um 23:15 schrieb Philip Durbin: Hello! Question for all you Shibboleth experts out there... If I'd like to take one of the attributes and store in in Dataverse as a persistent identifier? Which one should I use? From playing around with the IdP at http://testshib.org I assumed "persistent-id" would be the one to use. It looks nice and unique: persistent-id: https://idp.testshib.org/idp/shibboleth!https://apitest.dataverse.org/shibb… However! I'm hearing that "persistent-id" may not be so commonly used... that perhaps in Higher Ed anyway "eppn" might be used instead. The weird thing to me about "eppn", however is that (at least from TestShib) there's a username in it: eppn: myself@testshib.org<mailto:myself@testshib.org> Furthermore, eppn is allowed to change (!) according to https://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-dir-… "Values of eduPersonPrincipalName are often, but not required to be, human-friendly, and may change as a result of various business processes. They may also be reassigned after a locally-defined period of dormancy. Applications that require a guarantee of non-reassignment and more stability, but can tolerate values unfriendly (and unknown) to humans should refer to the eduPersonTargetedID attribute." So... maybe we should require eduPersonTargetedID (also known as ePTID) instead... But then I checked in with a non-Higher Ed person, and he uses Assertion -> Subject -> NameID. It looks like this: <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">user1</saml2:NameID> It's got "persistent" in it, which I like. :) From what I can tell from docs above "[ePTID] is an abstracted version of [NameID]" anyway, so maybe I should just require NameID so non-Higher Ed people aren't confused. Of course, I may just be confusing myself... I hope it's clear what I'm asking... What we need on the Dataverse side is to but something in the "FIXME" below: permanentId = httpServletRequest.getAttribute("FIXME"); Should the "FIXME" be "NameID" perhaps? "eppn"? Something else? Please advise. We'll be using this value to find the Shib users in the system each time they log in. Thanks! Phil p.s. Chats I just had (summarized above): http://irclog.perlgeek.de/shibboleth/2014-07-29 Time Nick Message 19:57 pdurbin hsnopi or rkeene do you use "persistent-id" for anything? 19:59 hsnopi not taht I am specifically aware of. I think it is used to give a user a permenant id but i could be very very wrong 19:59 pdurbin that's how I was thinking I'd use it 19:59 pdurbin but I'm also hearing that eppn is preferred, maybe? 20:00 pdurbin the IdP at http://testshib.org sends both 20:00 hsnopi that is so far out of my league 20:00 pdurbin eppn: myself@testshib.org<mailto:myself@testshib.org> 20:00 pdurbin persistent-id: https://idp.testshib.org/idp/shibboleth!https://apitest.dataverse.org/shibb… 20:01 pdurbin persistent-id seemed "safer" to use... more unique... 20:01 hsnopi i seem to vaguely recall something about eppn going away at soem point. 20:01 pdurbin hmm http://www.evanchooly.com/logs/%2523glassfish/2014-07-29 pdurbin whartung: persistent-id or eppn? whartung pdurbin: eh? pdurbin heh pdurbin whartung: http://irclog.perlgeek.de/shibboleth/2014-07-29 whartung frankly, I don't recognize either of those :) pdurbin whartung: what attribute do you use to uniquely identify a user who has logged in via shibboleth? whartung Subject->NAmeID pdurbin huh pdurbin I'm not used to seeing "->" in an attribute whartung Assertion -> Subject -> NameID pdurbin oh oh whartung no, it's the heirarchy pdurbin whartung: you're giving me the xpath ;) whartung yea pdurbin cool. thanks pdurbin NameID. hmm pdurbin commonly used? whartung Apparently pdurbin ok. eppn comes from higher ed. eduPersonPrincipalName https://www.incommon.org/federation/attributesummary.html whartung ok whartung yea, we're not in that domain whartung generic Response of ours: http://pastie.org/private/oay0trwmvrw9e0haekqmlw pdurbin ok so <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">kayyagari</saml2:NameID> pdurbin interesting whartung right pdurbin so I'm seeing "persistent" there and under "longevity" at https://wiki.shibboleth.net/confluence/display/SHIB2/NameIDAttributes pdurbin "persistent: identifiers which are good for a long period of time (e.g. years) but which the IdP may revoke" whartung yea, perahps we should use "permanent" instead pdurbin right _______________________________________________ dvn-auth mailing list dvn-auth@lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu> To unsubscribe from this list or get other information: https://lists.iq.harvard.edu/mailman/listinfo/dvn-auth _______________________________________________ dvn-auth mailing list dvn-auth@lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu> To unsubscribe from this list or get other information: https://lists.iq.harvard.edu/mailman/listinfo/dvn-auth -- Philip Durbin Software Developer for http://dataverse.org http://www.iq.harvard.edu/people/philip-durbin -- Philip Durbin Software Developer for http://dataverse.org http://www.iq.harvard.edu/people/philip-durbin ------------------------------ _______________________________________________ dvn-auth mailing list dvn-auth@lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu> To unsubscribe from this list or get other information: https://lists.iq.harvard.edu/mailman/listinfo/dvn-auth End of dvn-auth Digest, Vol 8, Issue 1 **************************************