SlideShare une entreprise Scribd logo

20230922 - ACAMP session on moving from eduPersonTargetedID to Subject Identifier.pptx

Télécharger en tant que PPTX, PDF
J
Jon Agland

Moving from eduPersonTargetedId to SAML Subject Identifier/Pairwise Identifer

Technologie
1  sur  21
Moving from eduPersonTargetedId to SAML Subject Identifier/Pairwise Identifier? Jon Agland Trust and Identity, Jisc Internet2 ACAMP 2023 (Unconference session) 2023-09-22 [Slides based on a 2021 presentation, to aid discussion]
Subject Identifiers in the UK federation Subject Identifiers in the UK federation 2 • Background (What are they, existing, the new standard, problems) • Supporting the new standard as IdP (first) • Supporting the new standard as SP (later) • Supporting the new standard as a federation operator
What are Subject Identifiers? Subject - a person or thing that is being discussed, described, or dealt with. Identifier - a person or thing that identifies someone or something. Subject Identifiers in the UK federation 3
Existing Subject Identifiers in the federation From the eduPersonSchema [1] eduPersonTargetedID is an abstracted version of the SAML V2.0 Name Identifier format of "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" eduPersonPrincipalName is a scoped identifier for a person. It should be represented in the form "user@scope" where 'user' is a name-based identifier for the person. Each value of 'scope' defines a namespace within which the assigned identifiers MUST be unique [1] https://wiki.refeds.org/display/STAN/eduPerson Subject Identifiers in the UK federation 4
Further identifiers in the federation eduPersonNamePrincipalPrior  multi-valued  only one SP has this a Requested Attribute eduPersonUniqueID  appeared in 2013, low take-up  indication that 59 SPs have Requested Attributes for this  Only one of those directly registered in the UK federation.  [1] https://wiki.refeds.org/display/STAN/eduPerson Subject Identifiers in the UK federation 5
Requested Attribute as an indicator Requested Attributes as a (bad!) indicator of attribute usage... eduPersonTargetedID - 674 eduPersonPrinicpalName - 1269 • Federation default policy – advises release of both these by IdPs to SPs • Only 378 of 1731 SPs in the UK federation have Requested Attributes in their metadata. Subject Identifiers in the UK federation 6
Existing Subject Identifiers in SAML Subject Identifiers in the UK federation 7 Name Identifiers  Some commonly used NameIDs  urn:oasis:names:tc:SAML:2.0:nameid-format:persistent  urn:oasis:names:tc:SAML:2.0:nameid-format:transient  urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress  An IdP in the UK federation will typically release  Transient in the Subject  Persistent in a SAML Attribute (eduPersonTargetedID)
Email Address as an Identifier Subject Identifiers in the UK federation 8  Not guaranteed unique to a subject  e.g. service@ukfederation.org.uk  Maybe be re-assigned  e.g. vc@camford.ac.uk  e.g. joe.bloggs@camford.ac.uk  Life events or affiliation may change it  Not always assigned by institution  May not be validated  https://spaces.at.internet2.edu/display/federation/why-is-email- not-an-appropriate-user-identifier  Hear our war story! "Return To Sender" by pheezy is licensed under CC BY 2.0
New Standard – SAML Subject Identifiers Subject Identifiers in the UK federation 9 Two new SAML Attributes defined in a new standard [1]  urn:oasis:names:tc:SAML:attribute:subject-id  bob123132@example.ac.uk  Alignment with eduPersonUniqueID  urn:oasis:names:tc:SAML:attribute:pairwise-id  NVSXE2DNMFZWIZ3BONSGO2DBONSGOCQ=@example.ac.uk  Hang on this looks familiar? SAML1/eduPerson mace-dir/eduPersonTargetedID.old  Review the problem statement in the standard.  [1] http://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/saml-subject-id-attr-v1.0.html
Drivers – SAML Subject Identifiers Subject Identifiers in the UK federation 10 • New standard has been ratified for over two years. • Use cases are coming... • eduPerson 2020-01 marks existing identifier as deprecated • eduPersonTargetedID is DEPRECATED and will be marked as obsolete in a future version of this specification. • New REFEDS Research and Scholarship v2.0 entity category • Nearing consultation, will require the new SAML Subject Identifier. • Research intensive organisations, may need to support the new standard sooner. • Shibboleth project deprecating • Stay of execution in v5 (marked as deprecated?) "Winter is Coming" by Trey Ratcliff is licensed under CC BY-NC-SA 2.0
https://xkcd.com/927/ eduPersonTargetedID is dead, long live eduPersonTargetedID Subject Identifiers in the UK federation 11 2023 – NOT FOR MUCH LONGER
One existing problem - Case sensitivity • Existing Identifiers may be using case sensitive values • Existing Shibboleth IdPs, Base64, ComputedID StoredID. • How does an SP handle this scenario? https://idp.example.ac.uk/idp!https://sp.example.org/sp!bWVyaG1hc2RnYXNkZ2hhc2RnCg== https://idp.example.ac.uk/idp!https://sp.example.org/sp!BWVYAG1HC2RNYXNKZ2HHC2RNCG== • New(er) Shibboleth IdPs deployers should use Base32. • SPs can test with the UK federation Test IdP (accounts Yanny and Laurel) [1] [1] https://www.ukfederation.org.uk/content/Documents/TestIdP Subject Identifiers in the UK federation 12
Supporting the SAML subject identifiers - IdPs Subject Identifiers in the UK federation 13 A fresh start?  If your existing ComputedID connector uses Base64, then you should.  Change to Base32  Change source attribute  ObjectGUID, ObjectSid – these tie you heavily to Microsoft Active Directory, Binary Attributes tricky to handle  uid, sAMAccountName, userPrincipalName, cn, mail – all potentially affected by changes of name, affiliation  employee and student number – on the face of it, a great choice as a source pairwise-id  What source for subject-id?
Two more questions for IdPs (another poll!)  What source attribute would you use for subject-id?  (urn:oasis:names:tc:SAML:attribute:subject-id)  What source attribute would you use for pairwise-id? (urn:oasis:names:tc:SAML:attribute:pairwise-id) Subject Identifiers in the UK federation 14
Signalling Subject Identifiers in the UK federation 15 We talked about Requested Attributes.. • SPs signalling what attributes they support/require using Requested Attributes • Existing Requested Attributes are another problem • Can’t say "I’d like one of eduPersonPrincipalName, eduPersonTargetedID or mail (Email address) please?" • Can only say "these are required, these are not required/optional" • New entity category has options of pairwise-id, subject-id, any or none • How do IdP operators feel about subject-id being auto released? • Will you being using an attribute containing personal information? • Quick poll..
entityIDs vs scopes Subject Identifiers in the UK federation 16  Existing SAML attributes are tied based on entityID - another problem!  Deployment of the new Subject Identifiers  Will eventually free us from the tie of the entityID  Will tie us instead to the scope  In the meantime, we will be tied to both?  Aren't we already?  Scopes  A single scope can be asserted by multiple IdPs  IdPs can assert multiple scopes (depending on their software/configuration)  Scopes and the domains they represent are verified for compliance with our metadata registration practice statement [1] [1] https://docs.ukfederation.org.uk/mdrps/
Supporting the SAML subject identifiers - SP Subject Identifiers in the UK federation 17  No personalisation, no worries?  Possibly one, reporting may show more unique users.
Supporting the SAML subject identifiers - SP Subject Identifiers in the UK federation 18 Maintaining Personalisation  Problem of mapping X to Y in a lot of cases  https://idp.example.ac.uk/idp!https://sp.example.org/sp!bWVyaG1hc2RnYXNkZ2hhc2RnCg==  NVSXE2DNMFZWIZ3BONSGO2DBONSGOCQ=@example.ac.uk  Will likely need co-ordination between IdP and SP  Might need to share and log the most recent Assertion ID to aid this process.  Attribute priority might need to be done per customer, rather than per service?  In the Shibboleth SP REMOTE_USER vs Attribute itself
Supporting the SAML subject identifiers - SP Subject Identifiers in the UK federation 19 Building a new SP  If I was deploying an SP today and required personalisation attributes..  urn:oasis:names:tc:SAML:attribute:subject-id fallback to eduPersonPrincipalName  urn:oasis:names:tc:SAML:attribute:pairwise-id fallback to eduPersonTargetedID • urn:oasis:names:tc:SAML:attribute:pairwise-id fallback to eduPersonPrincipalName  Handy if your end application can’t handle SPentityID!IdPentityID!value
Supporting the SAML subject identifiers – UK federation  What do we need to do?  Build the new entity category support into our tooling, so that SPs can signal their support  Setup IdP test accounts that release pairwise-id and subject-id  Test SP and attribute viewer  Might be additional entityIDs based on the four values of the entity attribute  Guidance/documentation for Shibboleth IdP and SP operators  Your thoughts and feedback? Subject Identifiers in the UK federation 20
Two questions for IdPs? Subject Identifiers in the UK federation 21 • How are you deriving eduPersonTargetedID? • (what is the source attribute) • Or persistent-name-id • How are you deriving eduPersonPrincipalName? • (what is the source attribute)?

Recommandé

OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...
OpenIDFoundation
 
Tutorial: Describing Datasets with the Health Care and Life Sciences Communit...
Tutorial: Describing Datasets with the Health Care and Life Sciences Communit...Tutorial: Describing Datasets with the Health Care and Life Sciences Communit...
Tutorial: Describing Datasets with the Health Care and Life Sciences Communit...
Alasdair Gray
 
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and ShibbolethCANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
Chris Phillips
 
Application development with Oracle NoSQL Database 3.0
Application development with Oracle NoSQL Database 3.0Application development with Oracle NoSQL Database 3.0
Application development with Oracle NoSQL Database 3.0
Anuj Sahni
 
1345 1400 Fiona Cullock Edina Case Study
1345 1400 Fiona Cullock Edina Case Study1345 1400 Fiona Cullock Edina Case Study
1345 1400 Fiona Cullock Edina Case Study
JISC.AM
 
CEDAR: Easing Authoring of Metadata to Make Biomedical Data Sets More Findabl...
CEDAR: Easing Authoring of Metadata to Make Biomedical Data Sets More Findabl...CEDAR: Easing Authoring of Metadata to Make Biomedical Data Sets More Findabl...
CEDAR: Easing Authoring of Metadata to Make Biomedical Data Sets More Findabl...
Syed Ahmad Chan Bukhari, PhD
 
Web Services: Encapsulation, Reusability, and Simplicity
Web Services: Encapsulation, Reusability, and SimplicityWeb Services: Encapsulation, Reusability, and Simplicity
Web Services: Encapsulation, Reusability, and Simplicity
hannonhill
 
AWS re:Invent 2016: Zillow Group: Developing Classification and Recommendatio...
AWS re:Invent 2016: Zillow Group: Developing Classification and Recommendatio...AWS re:Invent 2016: Zillow Group: Developing Classification and Recommendatio...
AWS re:Invent 2016: Zillow Group: Developing Classification and Recommendatio...
Amazon Web Services
 

Recommandé

OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...
OpenIDFoundation
 
Tutorial: Describing Datasets with the Health Care and Life Sciences Communit...
Tutorial: Describing Datasets with the Health Care and Life Sciences Communit...Tutorial: Describing Datasets with the Health Care and Life Sciences Communit...
Tutorial: Describing Datasets with the Health Care and Life Sciences Communit...
Alasdair Gray
 
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and ShibbolethCANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
Chris Phillips
 
Application development with Oracle NoSQL Database 3.0
Application development with Oracle NoSQL Database 3.0Application development with Oracle NoSQL Database 3.0
Application development with Oracle NoSQL Database 3.0
Anuj Sahni
 
1345 1400 Fiona Cullock Edina Case Study
1345 1400 Fiona Cullock Edina Case Study1345 1400 Fiona Cullock Edina Case Study
1345 1400 Fiona Cullock Edina Case Study
JISC.AM
 
CEDAR: Easing Authoring of Metadata to Make Biomedical Data Sets More Findabl...
CEDAR: Easing Authoring of Metadata to Make Biomedical Data Sets More Findabl...CEDAR: Easing Authoring of Metadata to Make Biomedical Data Sets More Findabl...
CEDAR: Easing Authoring of Metadata to Make Biomedical Data Sets More Findabl...
Syed Ahmad Chan Bukhari, PhD
 
Web Services: Encapsulation, Reusability, and Simplicity
Web Services: Encapsulation, Reusability, and SimplicityWeb Services: Encapsulation, Reusability, and Simplicity
Web Services: Encapsulation, Reusability, and Simplicity
hannonhill
 
AWS re:Invent 2016: Zillow Group: Developing Classification and Recommendatio...
AWS re:Invent 2016: Zillow Group: Developing Classification and Recommendatio...AWS re:Invent 2016: Zillow Group: Developing Classification and Recommendatio...
AWS re:Invent 2016: Zillow Group: Developing Classification and Recommendatio...
Amazon Web Services
 
Sem tech 2011 v8
Sem tech 2011 v8Sem tech 2011 v8
Sem tech 2011 v8
dallemang
 
DM2E Project meeting Bergen: WP2 RDF Validation, Kai Eckert (University of Ma...
DM2E Project meeting Bergen: WP2 RDF Validation, Kai Eckert (University of Ma...DM2E Project meeting Bergen: WP2 RDF Validation, Kai Eckert (University of Ma...
DM2E Project meeting Bergen: WP2 RDF Validation, Kai Eckert (University of Ma...
Digitised Manuscripts to Europeana
 
DataScience SG | Undergrad Series | 26th Sep 19
DataScience SG | Undergrad Series | 26th Sep 19DataScience SG | Undergrad Series | 26th Sep 19
DataScience SG | Undergrad Series | 26th Sep 19
Yong Siang (Ivan) Tan
 
PerformanceSCORM
PerformanceSCORMPerformanceSCORM
PerformanceSCORM
openforum
 
CANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interestCANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interest
Chris Phillips
 
C4l2008charper
C4l2008charperC4l2008charper
C4l2008charper
charper
 
Modeling Tricks My Relational Database Never Taught Me
Modeling Tricks My Relational Database Never Taught MeModeling Tricks My Relational Database Never Taught Me
Modeling Tricks My Relational Database Never Taught Me
David Boike
 
Mark logic text analytics
Mark logic text analyticsMark logic text analytics
Mark logic text analytics
Fernando Mesa
 
Paper presentation
Paper presentationPaper presentation
Paper presentation
K.K. Tripathi
 
Bacnet for field technicians
Bacnet for field techniciansBacnet for field technicians
Bacnet for field technicians
Juan Taveras
 
Virtuoso -- The Prometheus of RDF
Virtuoso -- The Prometheus of RDFVirtuoso -- The Prometheus of RDF
Virtuoso -- The Prometheus of RDF
OpenLink Software
 
Elastic @ Adobe: Making Search Smarter with Machine Learning at Scale
Elastic @ Adobe: Making Search Smarter with Machine Learning at ScaleElastic @ Adobe: Making Search Smarter with Machine Learning at Scale
Elastic @ Adobe: Making Search Smarter with Machine Learning at Scale
Elasticsearch
 
How Linked Data Can Speed Information Discovery
How Linked Data Can Speed Information DiscoveryHow Linked Data Can Speed Information Discovery
How Linked Data Can Speed Information Discovery
Alex Meadows
 
Virtuoso, The Prometheus of RDF -- Sematics 2014 Conference Keynote
Virtuoso, The Prometheus of RDF -- Sematics 2014 Conference Keynote Virtuoso, The Prometheus of RDF -- Sematics 2014 Conference Keynote
Virtuoso, The Prometheus of RDF -- Sematics 2014 Conference Keynote
Kingsley Uyi Idehen
 
20th Feb 2020 json-ld-rdf-im-proposal.pdf
20th Feb 2020 json-ld-rdf-im-proposal.pdf20th Feb 2020 json-ld-rdf-im-proposal.pdf
20th Feb 2020 json-ld-rdf-im-proposal.pdf
Michal Miklas
 
Off-Label Data Mesh: A Prescription for Healthier Data
Off-Label Data Mesh: A Prescription for Healthier DataOff-Label Data Mesh: A Prescription for Healthier Data
Off-Label Data Mesh: A Prescription for Healthier Data
HostedbyConfluent
 
Vital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and Spark
Vital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and SparkVital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and Spark
Vital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and Spark
Vital.AI
 
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
Daniel Zivkovic
 
1 Exploratory Data Analysis (EDA) by Melvin Ott, PhD.docx
1 Exploratory Data Analysis (EDA) by Melvin Ott, PhD.docx1 Exploratory Data Analysis (EDA) by Melvin Ott, PhD.docx
1 Exploratory Data Analysis (EDA) by Melvin Ott, PhD.docx
honey725342
 
SNIA : Swift Object Storage adding EC (Erasure Code)
SNIA : Swift Object Storage adding EC (Erasure Code)SNIA : Swift Object Storage adding EC (Erasure Code)
SNIA : Swift Object Storage adding EC (Erasure Code)
Odinot Stanislas
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 

Contenu connexe

Similaire à 20230922 - ACAMP session on moving from eduPersonTargetedID to Subject Identifier.pptx

DM2E Project meeting Bergen: WP2 RDF Validation, Kai Eckert (University of Ma...
DM2E Project meeting Bergen: WP2 RDF Validation, Kai Eckert (University of Ma...DM2E Project meeting Bergen: WP2 RDF Validation, Kai Eckert (University of Ma...
DM2E Project meeting Bergen: WP2 RDF Validation, Kai Eckert (University of Ma...
Digitised Manuscripts to Europeana
 
DataScience SG | Undergrad Series | 26th Sep 19
DataScience SG | Undergrad Series | 26th Sep 19DataScience SG | Undergrad Series | 26th Sep 19
DataScience SG | Undergrad Series | 26th Sep 19
Yong Siang (Ivan) Tan
 
C4l2008charper
C4l2008charperC4l2008charper
C4l2008charper
charper
 
Bacnet for field technicians
Bacnet for field techniciansBacnet for field technicians
Bacnet for field technicians
Juan Taveras
 
Off-Label Data Mesh: A Prescription for Healthier Data
Off-Label Data Mesh: A Prescription for Healthier DataOff-Label Data Mesh: A Prescription for Healthier Data
Off-Label Data Mesh: A Prescription for Healthier Data
HostedbyConfluent
 
1 Exploratory Data Analysis (EDA) by Melvin Ott, PhD.docx
1 Exploratory Data Analysis (EDA) by Melvin Ott, PhD.docx1 Exploratory Data Analysis (EDA) by Melvin Ott, PhD.docx
1 Exploratory Data Analysis (EDA) by Melvin Ott, PhD.docx
honey725342
 

Similaire à 20230922 - ACAMP session on moving from eduPersonTargetedID to Subject Identifier.pptx (20)

Sem tech 2011 v8
Sem tech 2011 v8Sem tech 2011 v8
Sem tech 2011 v8
 
DM2E Project meeting Bergen: WP2 RDF Validation, Kai Eckert (University of Ma...
DM2E Project meeting Bergen: WP2 RDF Validation, Kai Eckert (University of Ma...DM2E Project meeting Bergen: WP2 RDF Validation, Kai Eckert (University of Ma...
DM2E Project meeting Bergen: WP2 RDF Validation, Kai Eckert (University of Ma...
 
DataScience SG | Undergrad Series | 26th Sep 19
DataScience SG | Undergrad Series | 26th Sep 19DataScience SG | Undergrad Series | 26th Sep 19
DataScience SG | Undergrad Series | 26th Sep 19
 
PerformanceSCORM
PerformanceSCORMPerformanceSCORM
PerformanceSCORM
 
CANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interestCANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interest
 
C4l2008charper
C4l2008charperC4l2008charper
C4l2008charper
 
Modeling Tricks My Relational Database Never Taught Me
Modeling Tricks My Relational Database Never Taught MeModeling Tricks My Relational Database Never Taught Me
Modeling Tricks My Relational Database Never Taught Me
 
Mark logic text analytics
Mark logic text analyticsMark logic text analytics
Mark logic text analytics
 
Paper presentation
Paper presentationPaper presentation
Paper presentation
 
Bacnet for field technicians
Bacnet for field techniciansBacnet for field technicians
Bacnet for field technicians
 
Virtuoso -- The Prometheus of RDF
Virtuoso -- The Prometheus of RDFVirtuoso -- The Prometheus of RDF
Virtuoso -- The Prometheus of RDF
 
Elastic @ Adobe: Making Search Smarter with Machine Learning at Scale
Elastic @ Adobe: Making Search Smarter with Machine Learning at ScaleElastic @ Adobe: Making Search Smarter with Machine Learning at Scale
Elastic @ Adobe: Making Search Smarter with Machine Learning at Scale
 
How Linked Data Can Speed Information Discovery
How Linked Data Can Speed Information DiscoveryHow Linked Data Can Speed Information Discovery
How Linked Data Can Speed Information Discovery
 
Virtuoso, The Prometheus of RDF -- Sematics 2014 Conference Keynote
Virtuoso, The Prometheus of RDF -- Sematics 2014 Conference Keynote Virtuoso, The Prometheus of RDF -- Sematics 2014 Conference Keynote
Virtuoso, The Prometheus of RDF -- Sematics 2014 Conference Keynote
 
20th Feb 2020 json-ld-rdf-im-proposal.pdf
20th Feb 2020 json-ld-rdf-im-proposal.pdf20th Feb 2020 json-ld-rdf-im-proposal.pdf
20th Feb 2020 json-ld-rdf-im-proposal.pdf
 
Off-Label Data Mesh: A Prescription for Healthier Data
Off-Label Data Mesh: A Prescription for Healthier DataOff-Label Data Mesh: A Prescription for Healthier Data
Off-Label Data Mesh: A Prescription for Healthier Data
 
Vital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and Spark
Vital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and SparkVital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and Spark
Vital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and Spark
 
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
 
1 Exploratory Data Analysis (EDA) by Melvin Ott, PhD.docx
1 Exploratory Data Analysis (EDA) by Melvin Ott, PhD.docx1 Exploratory Data Analysis (EDA) by Melvin Ott, PhD.docx
1 Exploratory Data Analysis (EDA) by Melvin Ott, PhD.docx
 
SNIA : Swift Object Storage adding EC (Erasure Code)
SNIA : Swift Object Storage adding EC (Erasure Code)SNIA : Swift Object Storage adding EC (Erasure Code)
SNIA : Swift Object Storage adding EC (Erasure Code)
 

Dernier

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Dernier (20)

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 

20230922 - ACAMP session on moving from eduPersonTargetedID to Subject Identifier.pptx

  • 1. Moving from eduPersonTargetedId to SAML Subject Identifier/Pairwise Identifier? Jon Agland Trust and Identity, Jisc Internet2 ACAMP 2023 (Unconference session) 2023-09-22 [Slides based on a 2021 presentation, to aid discussion]
  • 2. Subject Identifiers in the UK federation Subject Identifiers in the UK federation 2 • Background (What are they, existing, the new standard, problems) • Supporting the new standard as IdP (first) • Supporting the new standard as SP (later) • Supporting the new standard as a federation operator
  • 3. What are Subject Identifiers? Subject - a person or thing that is being discussed, described, or dealt with. Identifier - a person or thing that identifies someone or something. Subject Identifiers in the UK federation 3
  • 4. Existing Subject Identifiers in the federation From the eduPersonSchema [1] eduPersonTargetedID is an abstracted version of the SAML V2.0 Name Identifier format of "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" eduPersonPrincipalName is a scoped identifier for a person. It should be represented in the form "user@scope" where 'user' is a name-based identifier for the person. Each value of 'scope' defines a namespace within which the assigned identifiers MUST be unique [1] https://wiki.refeds.org/display/STAN/eduPerson Subject Identifiers in the UK federation 4
  • 5. Further identifiers in the federation eduPersonNamePrincipalPrior  multi-valued  only one SP has this a Requested Attribute eduPersonUniqueID  appeared in 2013, low take-up  indication that 59 SPs have Requested Attributes for this  Only one of those directly registered in the UK federation.  [1] https://wiki.refeds.org/display/STAN/eduPerson Subject Identifiers in the UK federation 5
  • 6. Requested Attribute as an indicator Requested Attributes as a (bad!) indicator of attribute usage... eduPersonTargetedID - 674 eduPersonPrinicpalName - 1269 • Federation default policy – advises release of both these by IdPs to SPs • Only 378 of 1731 SPs in the UK federation have Requested Attributes in their metadata. Subject Identifiers in the UK federation 6
  • 7. Existing Subject Identifiers in SAML Subject Identifiers in the UK federation 7 Name Identifiers  Some commonly used NameIDs  urn:oasis:names:tc:SAML:2.0:nameid-format:persistent  urn:oasis:names:tc:SAML:2.0:nameid-format:transient  urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress  An IdP in the UK federation will typically release  Transient in the Subject  Persistent in a SAML Attribute (eduPersonTargetedID)
  • 8. Email Address as an Identifier Subject Identifiers in the UK federation 8  Not guaranteed unique to a subject  e.g. service@ukfederation.org.uk  Maybe be re-assigned  e.g. vc@camford.ac.uk  e.g. joe.bloggs@camford.ac.uk  Life events or affiliation may change it  Not always assigned by institution  May not be validated  https://spaces.at.internet2.edu/display/federation/why-is-email- not-an-appropriate-user-identifier  Hear our war story! "Return To Sender" by pheezy is licensed under CC BY 2.0
  • 9. New Standard – SAML Subject Identifiers Subject Identifiers in the UK federation 9 Two new SAML Attributes defined in a new standard [1]  urn:oasis:names:tc:SAML:attribute:subject-id  bob123132@example.ac.uk  Alignment with eduPersonUniqueID  urn:oasis:names:tc:SAML:attribute:pairwise-id  NVSXE2DNMFZWIZ3BONSGO2DBONSGOCQ=@example.ac.uk  Hang on this looks familiar? SAML1/eduPerson mace-dir/eduPersonTargetedID.old  Review the problem statement in the standard.  [1] http://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/saml-subject-id-attr-v1.0.html
  • 10. Drivers – SAML Subject Identifiers Subject Identifiers in the UK federation 10 • New standard has been ratified for over two years. • Use cases are coming... • eduPerson 2020-01 marks existing identifier as deprecated • eduPersonTargetedID is DEPRECATED and will be marked as obsolete in a future version of this specification. • New REFEDS Research and Scholarship v2.0 entity category • Nearing consultation, will require the new SAML Subject Identifier. • Research intensive organisations, may need to support the new standard sooner. • Shibboleth project deprecating • Stay of execution in v5 (marked as deprecated?) "Winter is Coming" by Trey Ratcliff is licensed under CC BY-NC-SA 2.0
  • 11. https://xkcd.com/927/ eduPersonTargetedID is dead, long live eduPersonTargetedID Subject Identifiers in the UK federation 11 2023 – NOT FOR MUCH LONGER
  • 12. One existing problem - Case sensitivity • Existing Identifiers may be using case sensitive values • Existing Shibboleth IdPs, Base64, ComputedID StoredID. • How does an SP handle this scenario? https://idp.example.ac.uk/idp!https://sp.example.org/sp!bWVyaG1hc2RnYXNkZ2hhc2RnCg== https://idp.example.ac.uk/idp!https://sp.example.org/sp!BWVYAG1HC2RNYXNKZ2HHC2RNCG== • New(er) Shibboleth IdPs deployers should use Base32. • SPs can test with the UK federation Test IdP (accounts Yanny and Laurel) [1] [1] https://www.ukfederation.org.uk/content/Documents/TestIdP Subject Identifiers in the UK federation 12
  • 13. Supporting the SAML subject identifiers - IdPs Subject Identifiers in the UK federation 13 A fresh start?  If your existing ComputedID connector uses Base64, then you should.  Change to Base32  Change source attribute  ObjectGUID, ObjectSid – these tie you heavily to Microsoft Active Directory, Binary Attributes tricky to handle  uid, sAMAccountName, userPrincipalName, cn, mail – all potentially affected by changes of name, affiliation  employee and student number – on the face of it, a great choice as a source pairwise-id  What source for subject-id?
  • 14. Two more questions for IdPs (another poll!)  What source attribute would you use for subject-id?  (urn:oasis:names:tc:SAML:attribute:subject-id)  What source attribute would you use for pairwise-id? (urn:oasis:names:tc:SAML:attribute:pairwise-id) Subject Identifiers in the UK federation 14
  • 15. Signalling Subject Identifiers in the UK federation 15 We talked about Requested Attributes.. • SPs signalling what attributes they support/require using Requested Attributes • Existing Requested Attributes are another problem • Can’t say "I’d like one of eduPersonPrincipalName, eduPersonTargetedID or mail (Email address) please?" • Can only say "these are required, these are not required/optional" • New entity category has options of pairwise-id, subject-id, any or none • How do IdP operators feel about subject-id being auto released? • Will you being using an attribute containing personal information? • Quick poll..
  • 16. entityIDs vs scopes Subject Identifiers in the UK federation 16  Existing SAML attributes are tied based on entityID - another problem!  Deployment of the new Subject Identifiers  Will eventually free us from the tie of the entityID  Will tie us instead to the scope  In the meantime, we will be tied to both?  Aren't we already?  Scopes  A single scope can be asserted by multiple IdPs  IdPs can assert multiple scopes (depending on their software/configuration)  Scopes and the domains they represent are verified for compliance with our metadata registration practice statement [1] [1] https://docs.ukfederation.org.uk/mdrps/
  • 17. Supporting the SAML subject identifiers - SP Subject Identifiers in the UK federation 17  No personalisation, no worries?  Possibly one, reporting may show more unique users.
  • 18. Supporting the SAML subject identifiers - SP Subject Identifiers in the UK federation 18 Maintaining Personalisation  Problem of mapping X to Y in a lot of cases  https://idp.example.ac.uk/idp!https://sp.example.org/sp!bWVyaG1hc2RnYXNkZ2hhc2RnCg==  NVSXE2DNMFZWIZ3BONSGO2DBONSGOCQ=@example.ac.uk  Will likely need co-ordination between IdP and SP  Might need to share and log the most recent Assertion ID to aid this process.  Attribute priority might need to be done per customer, rather than per service?  In the Shibboleth SP REMOTE_USER vs Attribute itself
  • 19. Supporting the SAML subject identifiers - SP Subject Identifiers in the UK federation 19 Building a new SP  If I was deploying an SP today and required personalisation attributes..  urn:oasis:names:tc:SAML:attribute:subject-id fallback to eduPersonPrincipalName  urn:oasis:names:tc:SAML:attribute:pairwise-id fallback to eduPersonTargetedID • urn:oasis:names:tc:SAML:attribute:pairwise-id fallback to eduPersonPrincipalName  Handy if your end application can’t handle SPentityID!IdPentityID!value
  • 20. Supporting the SAML subject identifiers – UK federation  What do we need to do?  Build the new entity category support into our tooling, so that SPs can signal their support  Setup IdP test accounts that release pairwise-id and subject-id  Test SP and attribute viewer  Might be additional entityIDs based on the four values of the entity attribute  Guidance/documentation for Shibboleth IdP and SP operators  Your thoughts and feedback? Subject Identifiers in the UK federation 20
  • 21. Two questions for IdPs? Subject Identifiers in the UK federation 21 • How are you deriving eduPersonTargetedID? • (what is the source attribute) • Or persistent-name-id • How are you deriving eduPersonPrincipalName? • (what is the source attribute)?

Notes de l'éditeur

  1. * Attribute generated by the Directory Service (objectGUID, objectSid)? * Attribute based on the Users firstname/surname (uid, sAMAccountName, userPrincipalName, cn, mail)? * Attribute based on an organisation identifier (employee number, student number)? * Other?
  2. How are you deriving eduPersonTargetedID? (what is the source attribute) * Attribute generated by the Directory Service (objectGUID, objectSid)? * Attribute based on the Users firstname/surname (uid, sAMAccountName, userPrincipalName, cn, mail)? * Attribute based on an organisation identifier (employee number, student number)? * Other? How are you deriving eduPersonPrincipalName (what is the source attribute)? * Attribute generated by the Directory Service (objectGUID, objectSid)? * Attribute based on the Users firstname/surname (uid, sAMAccountName, userPrincipalName, cn, mail)? * Attribute based on an organisation identifier (employee number, student number)? * Other?