[Openid-specs-fastfed] FastFed SAML Feedback

Nicholas Roy roy.nicholas at gmail.com
Tue May 12 21:57:02 UTC 2020


Hi,



I've been asked to provide feedback on the FastFed drafts. The following is
a roughly compiled, likely incomplete list, which is the result of review
of the FastFed SAML profile by some people within the SAML deployment and
standards communities I work with. I am acting as a relay. I've requested
that others from these groups also join this list, to enable a dialogue
about the issues and their potential resolutions.



   1. Violates the SAML 2.0 standard by misusing the persistent nameID
   format
   2. Abuses unspecified NameFormat in mapping attributes from SCIM, does
   not use the proper official names for these attributes (inetOrgPerson).
   This scheme is not interoperability-safe since it is string-based and not
   oid-based.
   3. Claims that SAML doesn’t support provisioning of groups is incorrect.
   4. “No standard mechanism for an identity provider and application
   provider to directly exchange metadata required by existing standards” is
   incorrect. See:
   https://kantarainitiative.github.io/SAMLprofiles/fedinterop.html#_metadata_and_trust_management
   and
   https://kantarainitiative.github.io/SAMLprofiles/saml2int.html#_metadata_and_trust_management.
   These methods are currently in use by tens of thousands of Identity
   Providers and Service Providers globally, just within the Research and
   Education community: https://technical.edugain.org/status.
   5. Using email address as a user identifier is a practice that is known
   to be problematic (see also:
   https://celeretech.com/blog/yahoo-begins-recycling-e-mail-accounts/)
   6. SAML 2.0 has OpenID Connect/OAuth-compatible identifiers that should
   be used (admittedly, they are new, but all reasonably well-implemented SAML
   software should be able to support them if configured to do so):
*https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/saml-subject-id-attr-v1.0.html
   <https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/saml-subject-id-attr-v1.0.html>*

Best Regards,

Nick Roy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20200512/7beb036b/attachment.html>


More information about the Openid-specs-fastfed mailing list