[Openid-specs-fastfed] FastFed SAML Feedback
Nicholas Roy
roy.nicholas at gmail.com
Tue May 12 21:57:02 UTC 2020
Hi,
I've been asked to provide feedback on the FastFed drafts. The following is
a roughly compiled, likely incomplete list, which is the result of review
of the FastFed SAML profile by some people within the SAML deployment and
standards communities I work with. I am acting as a relay. I've requested
that others from these groups also join this list, to enable a dialogue
about the issues and their potential resolutions.
1. Violates the SAML 2.0 standard by misusing the persistent nameID
format
2. Abuses unspecified NameFormat in mapping attributes from SCIM, does
not use the proper official names for these attributes (inetOrgPerson).
This scheme is not interoperability-safe since it is string-based and not
oid-based.
3. Claims that SAML doesn’t support provisioning of groups is incorrect.
4. “No standard mechanism for an identity provider and application
provider to directly exchange metadata required by existing standards” is
incorrect. See:
https://kantarainitiative.github.io/SAMLprofiles/fedinterop.html#_metadata_and_trust_management
and
https://kantarainitiative.github.io/SAMLprofiles/saml2int.html#_metadata_and_trust_management.
These methods are currently in use by tens of thousands of Identity
Providers and Service Providers globally, just within the Research and
Education community: https://technical.edugain.org/status.
5. Using email address as a user identifier is a practice that is known
to be problematic (see also:
https://celeretech.com/blog/yahoo-begins-recycling-e-mail-accounts/)
6. SAML 2.0 has OpenID Connect/OAuth-compatible identifiers that should
be used (admittedly, they are new, but all reasonably well-implemented SAML
software should be able to support them if configured to do so):
*https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/saml-subject-id-attr-v1.0.html
<https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/saml-subject-id-attr-v1.0.html>*
Best Regards,
Nick Roy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20200512/7beb036b/attachment.html>
More information about the Openid-specs-fastfed
mailing list