Changes between Initial Version and Version 1 of Origami


Ignore:
Timestamp:
01/17/14 15:57:47 (11 years ago)
Author:
dabantz@…
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • Origami

    v1 v1  
     1== [[https://iam.alaska.edu/|IAM]] / [[https://iam.alaska.edu/projects|Projects]] / [[https://iam.alaska.edu/shib|Shibboleth]] / [[ServiceCandidates|Service Candidates]] / Origami == 
     2 
     3Origami is a service for risk management: http://origamirisk.com/ 
     4 
     5UA OIT Project Manager is Toni Abbey.  A target completion date for integration with UA Shibboleth login is 10 February 2014. 
     6 
     7As of 17 January 2014, basic information is still missing, referred to in the following email: 
     8 
     9From: David Bantz <dabantz@Alaska.edu>[[BR]] 
     10Subject: UA SAML assertion and NameID[[BR]] 
     11Date: Wednesday, 4 December 2013 at 12:11:23 AKST[[BR]] 
     12To: Jonathan Nichols <jnichols@origamirisk.com> 
     13 
     14Dear Jon, 
     15 
     16As we discussed, my first task toward integration of Origami’s service and UA Identity Provider for SSO seems for me to better understand your desire for NameID. 
     17 
     18Part of my confusion is that NameID can be defined as an attribute much like any other (analogous to a phone number or address of the principal except that phone/address may be shared or reassigned and a NameID should not be); but NameID is also used in the authentication portion of the SAML assertion - as the “subject” of the assertion.   
     19 
     20I understood or mis-understood you to want NameID in the subject to be a persistent identifier of the principal.  That should be possible, but it’s different from our practice with other services.   
     21 
     22Our practice is that the subject uses NameID from any identifier available.  Note this portion of the logs detailing an interaction with our IdP: 
     23{{{ 
     2414:54:47.036 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:509] - Filtering out potential name identifier attributes which can not be encoded by edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder 
     2514:54:47.036 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:528] - Removing attribute eduPersonAffiliation, it can not be encoded via edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder 
     2614:54:47.036 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:528] - Removing attribute eduPersonScopedAffiliation, it can not be encoded via edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder 
     2714:54:47.036 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:528] - Removing attribute surname, it can not be encoded via edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder 
     2814:54:47.036 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:523] - Retaining attribute transientId which may be encoded to via edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder 
     2914:54:47.037 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:528] - Removing attribute eduPersonPrincipalName, it can not be encoded via edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder 
     3014:54:47.037 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:528] - Removing attribute givenName, it can not be encoded via edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder 
     3114:54:47.037 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:528] - Removing attribute onemail, it can not be encoded via edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder 
     3214:54:47.037 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:528] - Removing attribute displayname, it can not be encoded via edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder 
     3314:54:47.037 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:672] - Selecting attribute to be encoded as a name identifier by encoder of type edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder 
     3414:54:47.037 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:699] - Selecting the first attribute that can be encoded in to a name identifier 
     3514:54:47.037 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:483] - Name identifier for relying party 'https://oeadev1.cac.washington.edu/shibboleth' will be built from attribute 'transientId' 
     3614:54:47.038 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:864] - Using attribute 'transientId' supporting NameID format 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' to create the NameID for relying party 'https://oeadev1.cac.washington.edu/shibboleth' 
     3714:54:47.038 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:729] - Attempting to encrypt NameID to relying party 'https://oeadev1.cac.washington.edu/shibboleth' 
     38}}} 
     39In this case, the subject nameID was built from a transientID - exactly the opposite of what you want for a persistent identifier of the principal.  My concern about relying on the nameID in the subject is this process of selection by the IdP may make it hard to guarantee that the subject will be the identifier you want. 
     40 
     41Our practice is that a service that needs a persistent identifier or key will use one of the attributes we can release - such as the uakPersonID (which is scoped to alaska.edu) or the un-scoped version bannerId.  For example, for me, these are (in the SAML assertion): 
     42 
     43<saml2:Attribute FriendlyName="uakPersonID" Name="https://iam.alaska.edu/trac/wiki/IamUaArp#uakPersonID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> 
     44         <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance”  
     45         xsi:type="xs:string">30459959@alaska.edu</saml2:AttributeValue> 
     46</saml2:Attribute> 
     47 
     48<saml2:Attribute FriendlyName="bannerID" Name="https://iam.alaska.edu/trac/wiki/IamUaArp#bannerID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> 
     49         <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance”     
     50         xsi:type="xs:string">30459959</saml2:AttributeValue> 
     51</saml2:Attribute> 
     52 
     53I’ve described our practice not to insist that’s how we do it, but to help you help me understand what you need so I can determine what I need to do to meet the needs of your service.  
     54 
     55So to summarize, here are the options I see: 
     56 
     57(1) Rely on uakPersonID (or bannerID) attributes we are set up to release.  uakPersonID does have the characteristics of a “Name Identifier” (https://wiki.shibboleth.net/confluence/display/SHIB2/NameIDAttributes) .[[BR]] 
     58(2) Encode the uakPersonID or bannerID as an attribute of type SAML23NameID with a named-format rather than encoded as uri as we currently do.[[BR]] 
     59(3) Encode these existing attributes with a different name if that’s needed.  [[BR]] 
     60(4) Ensure the uakPersonID identifier encrypted in the subject of the SAML assertion; that is the only option that will require significant work on my part.[[BR]] 
     61 
     62I hope this provides you enough information to help us determine what needs to be done.  Please let me know. 
     63 
     64Thank you, 
     65 
     66David Bantz 
     67U Alaska Identity & Access Mangement