[Openid-specs-fastfed] FastFed SAML Feedback

Thu May 14 15:43:40 UTC 2020

It’s my hope that the working group members will now have a dialog with Nick and the others behind this feedback to figure out how to address the feedback.

I’ll start this off by asking for more specifics on 1.  How is the spec misusing the persistent nameID format and what change would those that wrote this feedback suggest to address this issue, Nick?

                                                       -- Mike

From: Openid-specs-fastfed <openid-specs-fastfed-bounces at lists.openid.net> On Behalf Of Nicholas Roy via Openid-specs-fastfed
Sent: Tuesday, May 12, 2020 2:57 PM
To: openid-specs-fastfed at lists.openid.net
Subject: [Openid-specs-fastfed] FastFed SAML Feedback

Hi,

I've been asked to provide feedback on the FastFed drafts. The following is a roughly compiled, likely incomplete list, which is the result of review of the FastFed SAML profile by some people within the SAML deployment and standards communities I work with. I am acting as a relay. I've requested that others from these groups also join this list, to enable a dialogue about the issues and their potential resolutions.

1.       Violates the SAML 2.0 standard by misusing the persistent nameID format
2.       Abuses unspecified NameFormat in mapping attributes from SCIM, does not use the proper official names for these attributes (inetOrgPerson). This scheme is not interoperability-safe since it is string-based and not oid-based.
3.       Claims that SAML doesn’t support provisioning of groups is incorrect.
4.       “No standard mechanism for an identity provider and application provider to directly exchange metadata required by existing standards” is incorrect. See: https://kantarainitiative.github.io/SAMLprofiles/fedinterop.html#_metadata_and_trust_management and https://kantarainitiative.github.io/SAMLprofiles/saml2int.html#_metadata_and_trust_management. These methods are currently in use by tens of thousands of Identity Providers and Service Providers globally, just within the Research and Education community: https://technical.edugain.org/status.
5.       Using email address as a user identifier is a practice that is known to be problematic (see also: https://celeretech.com/blog/yahoo-begins-recycling-e-mail-accounts/)
6.       SAML 2.0 has OpenID Connect/OAuth-compatible identifiers that should be used (admittedly, they are new, but all reasonably well-implemented SAML software should be able to support them if configured to do so): https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/saml-subject-id-attr-v1.0.html

Best Regards,

Nick Roy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20200514/23261ff8/attachment.html>