[Openid-specs-fastfed] Reminder of action from prior WG meeting: SAML Profile change

[McAdams, Darin]

Hi all,
I wanted to send a reminder about one of the actions from a prior WG meeting. (Sorry I missed the most recent one.)

For those who attended, you may recall that we discussed shuffling the SAML profile<https://openid.net/specs/fastfed-saml-1_0-02.html#rfc.section.3.1.2>. Currently, the profile requires putting the “username” into the SAML Subject. Other data, such as the persistent “externalId”, goes into the SAML Attributes. This reflects common industry practices.

The question was whether to invert. Put the persistent “externalId” into the SAML Subject. The “username” and other fields would go into the attributes.

The intent was primarily to signal a best practice of relying on the persistent ID as the primary identifier, since “username” is mutable and recyclable. In reality, we recognize that a lot of software today is built around the “username” and the software won’t change. That’s OK. Again, this is purely arranging the data in a way that signals best practices. No other functional changes. All the same data still exists in the SAML response.

The action we took: Check our own systems to determine if this materially impacts the level of effort for conforming to FastFed.

I checked on my side and the work appears trivial for my org. Simply another transformer to map SAML messages into an internal representation.

REQUEST: Before the next meeting, can others confirm if the impact of the proposed change is acceptable?

I’ll send another reminder as the meeting data approaches.

Thanks!
Darin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20200813/3abbe69f/attachment.html>