[Openid-specs-fastfed] Reminder of action from prior WG meeting: SAML Profile change

Karl McGuinness kmcguinness at okta.com
Tue Aug 25 22:29:09 UTC 2020 

Hi Darin.

We are fine supporting persistent id as the SAML subject and passing username/email as attribute statements from a product capability perspective.   

The challenge is the large amount SPs that don’t support this today and the way SSO deployments happen in the real world.  SSO is turned on before provisioning with SCIM.   Users often already exist in the SP when SSO is enabled  (e.g created manually in SaaS admin app) and the IdP doesn’t know the external id for the subject.   This is often a reason why SaaS SPs use email/username as the subject identifier as this is something that can be determined by the IdP.  SPs often don’t assume the users were provisioned by the IdP and have limited/restricted SAML configuration.   Using persistent name identifiers in practice with SaaS is often only feasible when the subjects were provisioned by the IdP.

I strongly prefer we preserve the option to decouple SSO and provisioning.  One possible solution is supporting both "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent” and "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress” or "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified” formats that are negotiated during the handshake.    A SP can choose to support one or both while IdP would always support both.

I prefer to be explicit with the name identifier vs relying on the SP to sometimes process the name identifier and sometimes ignore and just use attributes to identify the subject.

-Karl

> On Aug 25, 2020, at 2:31 PM, McAdams, Darin via Openid-specs-fastfed <openid-specs-fastfed at lists.openid.net> wrote:
> 
> This message originated outside your organization.
> 
> 
> Reminder: FastFed WG meeting is tomorrow morning. Appreciate if anyone can bring feedback on the open question below.
>  
> From: "McAdams, Darin" <darinm at amazon.com>
> Date: Thursday, August 13, 2020 at 2:11 PM
> To: Openid-specs-fastfed <openid-specs-fastfed at lists.openid.net>
> Subject: Reminder of action from prior WG meeting: SAML Profile change
>  
> Hi all,
> I wanted to send a reminder about one of the actions from a prior WG meeting. (Sorry I missed the most recent one.)
>  
> For those who attended, you may recall that we discussed shuffling the SAML profile. Currently, the profile requires putting the “username” into the SAML Subject. Other data, such as the persistent “externalId”, goes into the SAML Attributes. This reflects common industry practices.
>  
> The question was whether to invert. Put the persistent “externalId” into the SAML Subject. The “username” and other fields would go into the attributes.
>  
> The intent was primarily to signal a best practice of relying on the persistent ID as the primary identifier, since “username” is mutable and recyclable. In reality, we recognize that a lot of software today is built around the “username” and the software won’t change. That’s OK. Again, this is purely arranging the data in a way that signals best practices. No other functional changes. All the same data still exists in the SAML response.
>  
> The action we took: Check our own systems to determine if this materially impacts the level of effort for conforming to FastFed.
>  
> I checked on my side and the work appears trivial for my org. Simply another transformer to map SAML messages into an internal representation.
>  
> REQUEST: Before the next meeting, can others confirm if the impact of the proposed change is acceptable?
>  
> I’ll send another reminder as the meeting data approaches.
>  
> Thanks!
> Darin
> _______________________________________________
> Openid-specs-fastfed mailing list
> Openid-specs-fastfed at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fastfed

More information about the Openid-specs-fastfed mailing list