<div dir="ltr">Realized that Mike Jones asked me to copy him on this, then I forgot to. Doing so now.</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, May 12, 2020 at 3:57 PM Nicholas Roy <<a href="mailto:roy.nicholas@gmail.com">roy.nicholas@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><p class="MsoNormal">Hi,<u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">I've been asked to provide feedback on the FastFed drafts. The following is a roughly compiled, likely incomplete list, which is the result of review of the FastFed SAML profile by some people within the SAML deployment and standards communities I work with. I am acting as a relay. I've requested that others from these groups also join this list, to enable a dialogue about the issues and their potential resolutions.<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><ol start="1" type="1" style="margin-bottom:0in;margin-top:0in"><li style="margin-left:15px;color:black;margin-top:0in;margin-bottom:0.0001pt;vertical-align:baseline;font-variant-ligatures:normal;font-variant-east-asian:normal;white-space:pre-wrap"><span style="font-family:Arial,sans-serif">Violates the SAML 2.0 standard by misusing the persistent nameID format<u></u><u></u></span></li><li style="margin-left:15px;color:black;margin-top:0in;margin-bottom:0.0001pt;vertical-align:baseline;font-variant-ligatures:normal;font-variant-east-asian:normal;white-space:pre-wrap"><span style="font-family:Arial,sans-serif">Abuses unspecified NameFormat in mapping attributes from SCIM, does not use the proper official names for these attributes (inetOrgPerson). This scheme is not interoperability-safe since it is string-based and not
 oid-based.<u></u><u></u></span></li><li style="margin-left:15px;color:black;margin-top:0in;margin-bottom:0.0001pt;vertical-align:baseline;font-variant-ligatures:normal;font-variant-east-asian:normal;white-space:pre-wrap"><span style="font-family:Arial,sans-serif">Claims that SAML doesn’t support provisioning of groups is incorrect.<u></u><u></u></span></li><li style="margin-left:15px;color:black;margin-top:0in;margin-bottom:0.0001pt;vertical-align:baseline;font-variant-ligatures:normal;font-variant-east-asian:normal;white-space:pre-wrap"><span style="font-family:Arial,sans-serif">“No standard mechanism for an identity provider and application provider to directly exchange metadata required by existing standards” is incorrect. See: <a href="https://kantarainitiative.github.io/SAMLprofiles/fedinterop.html#_metadata_and_trust_management" target="_blank">https://kantarainitiative.github.io/SAMLprofiles/fedinterop.html#_metadata_and_trust_management</a> and <a href="https://kantarainitiative.github.io/SAMLprofiles/saml2int.html#_metadata_and_trust_management" target="_blank">https://kantarainitiative.github.io/SAMLprofiles/saml2int.html#_metadata_and_trust_management</a>. These methods are currently in use by tens of thousands of Identity Providers and Service Providers globally, just within the Research and Education community: <a href="https://technical.edugain.org/status" target="_blank">https://technical.edugain.org/status</a>.<u></u><u></u></span></li><li style="margin-left:15px;color:black;margin-top:0in;margin-bottom:0.0001pt;vertical-align:baseline;font-variant-ligatures:normal;font-variant-east-asian:normal;white-space:pre-wrap"><span style="font-family:Arial,sans-serif">Using email address as a user identifier is a practice that is known to be problematic (see also: <a href="https://celeretech.com/blog/yahoo-begins-recycling-e-mail-accounts/" target="_blank">https://celeretech.com/blog/yahoo-begins-recycling-e-mail-accounts/</a>)<u></u><u></u></span></li><li style="margin-left:15px;color:black;margin-top:0in;margin-bottom:0.0001pt;vertical-align:baseline;font-variant-ligatures:normal;font-variant-east-asian:normal;white-space:pre-wrap"><span style="font-family:Arial,sans-serif">SAML 2.0 has OpenID Connect/OAuth-compatible identifiers that should be used (admittedly, they are new, but all reasonably well-implemented SAML software should be able to support them if configured to do so):
<u><span style="text-decoration:none"><a href="https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/saml-subject-id-attr-v1.0.html" target="_blank">https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/saml-subject-id-attr-v1.0.html</a></span></u></span></li></ol><p style="margin-right:0in;margin-left:0.5in;margin-bottom:0.0001pt;vertical-align:baseline"><span style="font-family:Arial,sans-serif;color:black">Best Regards,</span><span style="color:black;font-family:Arial,sans-serif"> </span></p><p style="margin-right:0in;margin-left:0.5in;margin-bottom:0.0001pt;vertical-align:baseline"><span style="font-family:Arial,sans-serif;color:black">Nick Roy</span></p></div></div></div>
</blockquote></div>