[Openid-specs-fastfed] Reminder of action from prior WG meeting: SAML Profile change

Wed Aug 26 00:23:47 UTC 2020

I like the idea of negotiating nameid formats up front. I'm not a huge fan
of encouraging SP's to look into the attributes to find the subject's
identifier as that feels like we're encouraging bad practices.

On Tue, Aug 25, 2020 at 4:02 PM Karl McGuinness via Openid-specs-fastfed <
openid-specs-fastfed at lists.openid.net> wrote:

> Hi Darin.
>
> We are fine supporting persistent id as the SAML subject and passing
> username/email as attribute statements from a product capability
> perspective.
>
> The challenge is the large amount SPs that don’t support this today and
> the way SSO deployments happen in the real world.  SSO is turned on before
> provisioning with SCIM.   Users often already exist in the SP when SSO is
> enabled  (e.g created manually in SaaS admin app) and the IdP doesn’t know
> the external id for the subject.   This is often a reason why SaaS SPs use
> email/username as the subject identifier as this is something that can be
> determined by the IdP.  SPs often don’t assume the users were provisioned
> by the IdP and have limited/restricted SAML configuration.   Using
> persistent name identifiers in practice with SaaS is often only feasible
> when the subjects were provisioned by the IdP.
>
> I strongly prefer we preserve the option to decouple SSO and
> provisioning.  One possible solution is supporting both
> "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent” and
> "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress” or
> "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified” formats that are
> negotiated during the handshake.    A SP can choose to support one or both
> while IdP would always support both.
>
> I prefer to be explicit with the name identifier vs relying on the SP to
> sometimes process the name identifier and sometimes ignore and just use
> attributes to identify the subject.
>
> -Karl
>
> > On Aug 25, 2020, at 2:31 PM, McAdams, Darin via Openid-specs-fastfed <
> openid-specs-fastfed at lists.openid.net> wrote:
> >
> > This message originated outside your organization.
> >
> >
> > Reminder: FastFed WG meeting is tomorrow morning. Appreciate if anyone
> can bring feedback on the open question below.
> >
> > From: "McAdams, Darin" <darinm at amazon.com>
> > Date: Thursday, August 13, 2020 at 2:11 PM
> > To: Openid-specs-fastfed <openid-specs-fastfed at lists.openid.net>
> > Subject: Reminder of action from prior WG meeting: SAML Profile change
> >
> > Hi all,
> > I wanted to send a reminder about one of the actions from a prior WG
> meeting. (Sorry I missed the most recent one.)
> >
> > For those who attended, you may recall that we discussed shuffling the
> SAML profile. Currently, the profile requires putting the “username” into
> the SAML Subject. Other data, such as the persistent “externalId”, goes
> into the SAML Attributes. This reflects common industry practices.
> >
> > The question was whether to invert. Put the persistent “externalId” into
> the SAML Subject. The “username” and other fields would go into the
> attributes.
> >
> > The intent was primarily to signal a best practice of relying on the
> persistent ID as the primary identifier, since “username” is mutable and
> recyclable. In reality, we recognize that a lot of software today is built
> around the “username” and the software won’t change. That’s OK. Again, this
> is purely arranging the data in a way that signals best practices. No other
> functional changes. All the same data still exists in the SAML response.
> >
> > The action we took: Check our own systems to determine if this
> materially impacts the level of effort for conforming to FastFed.
> >
> > I checked on my side and the work appears trivial for my org. Simply
> another transformer to map SAML messages into an internal representation.
> >
> > REQUEST: Before the next meeting, can others confirm if the impact of
> the proposed change is acceptable?
> >
> > I’ll send another reminder as the meeting data approaches.
> >
> > Thanks!
> > Darin
> > _______________________________________________
> > Openid-specs-fastfed mailing list
> > Openid-specs-fastfed at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-fastfed
>
> _______________________________________________
> Openid-specs-fastfed mailing list
> Openid-specs-fastfed at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fastfed
>

-- 

Erik Gustavson

erikgustavson at google.com

Engineering Manager - Google Apps Core

650-451-1372
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20200825/5cb0d0b3/attachment-0001.html>