[Openid-specs-fastfed] FastFed SAML Feedback

Nicholas Roy roy.nicholas at gmail.com
Tue May 12 21:57:50 UTC 2020


Realized that Mike Jones asked me to copy him on this, then I forgot to.
Doing so now.

On Tue, May 12, 2020 at 3:57 PM Nicholas Roy <roy.nicholas at gmail.com> wrote:

> Hi,
>
>
>
> I've been asked to provide feedback on the FastFed drafts. The following
> is a roughly compiled, likely incomplete list, which is the result of
> review of the FastFed SAML profile by some people within the SAML
> deployment and standards communities I work with. I am acting as a relay.
> I've requested that others from these groups also join this list, to enable
> a dialogue about the issues and their potential resolutions.
>
>
>
>    1. Violates the SAML 2.0 standard by misusing the persistent nameID
>    format
>    2. Abuses unspecified NameFormat in mapping attributes from SCIM, does
>    not use the proper official names for these attributes (inetOrgPerson).
>    This scheme is not interoperability-safe since it is string-based and not
>    oid-based.
>    3. Claims that SAML doesn’t support provisioning of groups is
>    incorrect.
>    4. “No standard mechanism for an identity provider and application
>    provider to directly exchange metadata required by existing standards” is
>    incorrect. See:
>    https://kantarainitiative.github.io/SAMLprofiles/fedinterop.html#_metadata_and_trust_management
>    and
>    https://kantarainitiative.github.io/SAMLprofiles/saml2int.html#_metadata_and_trust_management.
>    These methods are currently in use by tens of thousands of Identity
>    Providers and Service Providers globally, just within the Research and
>    Education community: https://technical.edugain.org/status.
>    5. Using email address as a user identifier is a practice that is
>    known to be problematic (see also:
>    https://celeretech.com/blog/yahoo-begins-recycling-e-mail-accounts/)
>    6. SAML 2.0 has OpenID Connect/OAuth-compatible identifiers that
>    should be used (admittedly, they are new, but all reasonably
>    well-implemented SAML software should be able to support them if configured
>    to do so): *https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/saml-subject-id-attr-v1.0.html
>    <https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/saml-subject-id-attr-v1.0.html>*
>
> Best Regards,
>
> Nick Roy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20200512/1bc80bf2/attachment-0001.html>


More information about the Openid-specs-fastfed mailing list