[Openid-specs-fastfed] FastFed SAML Feedback
Nicholas Roy
roy.nicholas at gmail.com
Tue May 12 21:57:50 UTC 2020
Realized that Mike Jones asked me to copy him on this, then I forgot to.
Doing so now.
On Tue, May 12, 2020 at 3:57 PM Nicholas Roy <roy.nicholas at gmail.com> wrote:
> Hi,
>
>
>
> I've been asked to provide feedback on the FastFed drafts. The following
> is a roughly compiled, likely incomplete list, which is the result of
> review of the FastFed SAML profile by some people within the SAML
> deployment and standards communities I work with. I am acting as a relay.
> I've requested that others from these groups also join this list, to enable
> a dialogue about the issues and their potential resolutions.
>
>
>
> 1. Violates the SAML 2.0 standard by misusing the persistent nameID
> format
> 2. Abuses unspecified NameFormat in mapping attributes from SCIM, does
> not use the proper official names for these attributes (inetOrgPerson).
> This scheme is not interoperability-safe since it is string-based and not
> oid-based.
> 3. Claims that SAML doesn’t support provisioning of groups is
> incorrect.
> 4. “No standard mechanism for an identity provider and application
> provider to directly exchange metadata required by existing standards” is
> incorrect. See:
> https://kantarainitiative.github.io/SAMLprofiles/fedinterop.html#_metadata_and_trust_management
> and
> https://kantarainitiative.github.io/SAMLprofiles/saml2int.html#_metadata_and_trust_management.
> These methods are currently in use by tens of thousands of Identity
> Providers and Service Providers globally, just within the Research and
> Education community: https://technical.edugain.org/status.
> 5. Using email address as a user identifier is a practice that is
> known to be problematic (see also:
> https://celeretech.com/blog/yahoo-begins-recycling-e-mail-accounts/)
> 6. SAML 2.0 has OpenID Connect/OAuth-compatible identifiers that
> should be used (admittedly, they are new, but all reasonably
> well-implemented SAML software should be able to support them if configured
> to do so): *https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/saml-subject-id-attr-v1.0.html
> <https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/saml-subject-id-attr-v1.0.html>*
>
> Best Regards,
>
> Nick Roy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20200512/1bc80bf2/attachment-0001.html>
More information about the Openid-specs-fastfed
mailing list