[Openid-specs-fastfed] Reminder of action from prior WG meeting: SAML Profile change
McAdams, Darin
darinm at amazon.com
Tue Aug 25 21:31:31 UTC 2020
Reminder: FastFed WG meeting is tomorrow morning. Appreciate if anyone can bring feedback on the open question below.
From: "McAdams, Darin" <darinm at amazon.com>
Date: Thursday, August 13, 2020 at 2:11 PM
To: Openid-specs-fastfed <openid-specs-fastfed at lists.openid.net>
Subject: Reminder of action from prior WG meeting: SAML Profile change
Hi all,
I wanted to send a reminder about one of the actions from a prior WG meeting. (Sorry I missed the most recent one.)
For those who attended, you may recall that we discussed shuffling the SAML profile<https://openid.net/specs/fastfed-saml-1_0-02.html#rfc.section.3.1.2>. Currently, the profile requires putting the “username” into the SAML Subject. Other data, such as the persistent “externalId”, goes into the SAML Attributes. This reflects common industry practices.
The question was whether to invert. Put the persistent “externalId” into the SAML Subject. The “username” and other fields would go into the attributes.
The intent was primarily to signal a best practice of relying on the persistent ID as the primary identifier, since “username” is mutable and recyclable. In reality, we recognize that a lot of software today is built around the “username” and the software won’t change. That’s OK. Again, this is purely arranging the data in a way that signals best practices. No other functional changes. All the same data still exists in the SAML response.
The action we took: Check our own systems to determine if this materially impacts the level of effort for conforming to FastFed.
I checked on my side and the work appears trivial for my org. Simply another transformer to map SAML messages into an internal representation.
REQUEST: Before the next meeting, can others confirm if the impact of the proposed change is acceptable?
I’ll send another reminder as the meeting data approaches.
Thanks!
Darin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20200825/9ad9dee1/attachment.html>
More information about the Openid-specs-fastfed
mailing list