
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">


<head>


<meta http-equiv="Content-Type" content="text/html; charset=utf-8">


<meta name="Generator" content="Microsoft Word 15 (filtered medium)">


<style><!--


/* Font Definitions */


@font-face


        {font-family:"Cambria Math";


        panose-1:2 4 5 3 5 4 6 3 2 4;}


@font-face


        {font-family:Calibri;


        panose-1:2 15 5 2 2 2 4 3 2 4;}


/* Style Definitions */


p.MsoNormal, li.MsoNormal, div.MsoNormal


        {margin:0in;


        margin-bottom:.0001pt;


        font-size:11.0pt;


        font-family:"Calibri",sans-serif;}


a:link, span.MsoHyperlink


        {mso-style-priority:99;


        color:blue;


        text-decoration:underline;}


span.EmailStyle19


        {mso-style-type:personal-reply;


        font-family:"Calibri",sans-serif;


        color:#002060;}


.MsoChpDefault


        {mso-style-type:export-only;


        font-family:"Calibri",sans-serif;}


@page WordSection1


        {size:8.5in 11.0in;


        margin:1.0in 1.0in 1.0in 1.0in;}


div.WordSection1


        {page:WordSection1;}


/* List Definitions */


@list l0


        {mso-list-id:353849747;


        mso-list-template-ids:-2030383406;}


ol


        {margin-bottom:0in;}


ul


        {margin-bottom:0in;}


--></style><!--[if gte mso 9]><xml>


<o:shapedefaults v:ext="edit" spidmax="1026" />


</xml><![endif]--><!--[if gte mso 9]><xml>


<o:shapelayout v:ext="edit">


<o:idmap v:ext="edit" data="1" />


</o:shapelayout></xml><![endif]-->


</head>


<body lang="EN-US" link="blue" vlink="purple">


<div class="WordSection1">


<p class="MsoNormal"><span style="color:#002060">It’s my hope that the working group members will now have a dialog with Nick and the others behind this feedback to figure out how to address the feedback.<o:p></o:p></span></p>


<p class="MsoNormal"><span style="color:#002060"><o:p> </o:p></span></p>


<p class="MsoNormal"><span style="color:#002060">I’ll start this off by asking for more specifics on 1.  How is the spec misusing the persistent nameID format and what change would those that wrote this feedback suggest to address this issue, Nick?<o:p></o:p></span></p>


<p class="MsoNormal"><span style="color:#002060"><o:p> </o:p></span></p>


<p class="MsoNormal"><span style="color:#002060">                                                       -- Mike<o:p></o:p></span></p>


<p class="MsoNormal"><span style="color:#002060"><o:p> </o:p></span></p>


<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">


<p class="MsoNormal"><b>From:</b> Openid-specs-fastfed <openid-specs-fastfed-bounces@lists.openid.net>


<b>On Behalf Of </b>Nicholas Roy via Openid-specs-fastfed<br>


<b>Sent:</b> Tuesday, May 12, 2020 2:57 PM<br>


<b>To:</b> openid-specs-fastfed@lists.openid.net<br>


<b>Subject:</b> [Openid-specs-fastfed] FastFed SAML Feedback<o:p></o:p></p>


</div>


<p class="MsoNormal"><o:p> </o:p></p>


<div>


<div>


<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Hi,<o:p></o:p></p>


<div>


<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>


</div>


<div>


<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I've been asked to provide feedback on the FastFed drafts. The following is a roughly compiled, likely incomplete list, which is the result of review of the FastFed SAML profile


 by some people within the SAML deployment and standards communities I work with. I am acting as a relay. I've requested that others from these groups also join this list, to enable a dialogue about the issues and their potential resolutions.<o:p></o:p></p>


</div>


<div>


<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>


</div>


<div>


<p class="MsoNormal" style="margin-left:47.25pt;text-indent:-.25in;mso-list:l0 level1 lfo1;vertical-align:baseline">


<![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">      


</span></span></span><![endif]><span style="font-family:"Arial",sans-serif;color:black">Violates the SAML 2.0 standard by misusing the persistent nameID format</span><span style="color:black"><o:p></o:p></span></p>


<p class="MsoNormal" style="margin-left:47.25pt;text-indent:-.25in;mso-list:l0 level1 lfo1;vertical-align:baseline">


<![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">      


</span></span></span><![endif]><span style="font-family:"Arial",sans-serif;color:black">Abuses unspecified NameFormat in mapping attributes from SCIM, does not use the proper official names for these attributes (inetOrgPerson). This scheme is not interoperability-safe


 since it is string-based and not oid-based.</span><span style="color:black"><o:p></o:p></span></p>


<p class="MsoNormal" style="margin-left:47.25pt;text-indent:-.25in;mso-list:l0 level1 lfo1;vertical-align:baseline">


<![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">      


</span></span></span><![endif]><span style="font-family:"Arial",sans-serif;color:black">Claims that SAML doesn’t support provisioning of groups is incorrect.</span><span style="color:black"><o:p></o:p></span></p>


<p class="MsoNormal" style="margin-left:47.25pt;text-indent:-.25in;mso-list:l0 level1 lfo1;vertical-align:baseline">


<![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">4.<span style="font:7.0pt "Times New Roman"">      


</span></span></span><![endif]><span style="font-family:"Arial",sans-serif;color:black">“No standard mechanism for an identity provider and application provider to directly exchange metadata required by existing standards” is incorrect. See:


<a href="https://kantarainitiative.github.io/SAMLprofiles/fedinterop.html#_metadata_and_trust_management" target="_blank">


https://kantarainitiative.github.io/SAMLprofiles/fedinterop.html#_metadata_and_trust_management</a> and


<a href="https://kantarainitiative.github.io/SAMLprofiles/saml2int.html#_metadata_and_trust_management" target="_blank">


https://kantarainitiative.github.io/SAMLprofiles/saml2int.html#_metadata_and_trust_management</a>. These methods are currently in use by tens of thousands of Identity Providers and Service Providers globally, just within the Research and Education community:


<a href="https://technical.edugain.org/status" target="_blank">https://technical.edugain.org/status</a>.</span><span style="color:black"><o:p></o:p></span></p>


<p class="MsoNormal" style="margin-left:47.25pt;text-indent:-.25in;mso-list:l0 level1 lfo1;vertical-align:baseline">


<![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">5.<span style="font:7.0pt "Times New Roman"">      


</span></span></span><![endif]><span style="font-family:"Arial",sans-serif;color:black">Using email address as a user identifier is a practice that is known to be problematic (see also:


<a href="https://celeretech.com/blog/yahoo-begins-recycling-e-mail-accounts/" target="_blank">


https://celeretech.com/blog/yahoo-begins-recycling-e-mail-accounts/</a>)</span><span style="color:black"><o:p></o:p></span></p>


<p class="MsoNormal" style="margin-left:47.25pt;text-indent:-.25in;mso-list:l0 level1 lfo1;vertical-align:baseline">


<![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">6.<span style="font:7.0pt "Times New Roman"">      


</span></span></span><![endif]><span style="font-family:"Arial",sans-serif;color:black">SAML 2.0 has OpenID Connect/OAuth-compatible identifiers that should be used (admittedly, they are new, but all reasonably well-implemented SAML software should be able


 to support them if configured to do so): <a href="https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/saml-subject-id-attr-v1.0.html" target="_blank">


https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/saml-subject-id-attr-v1.0.html</a></span><span style="color:black"><o:p></o:p></span></p>


<p style="mso-margin-top-alt:5.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;vertical-align:baseline">


<span style="font-family:"Arial",sans-serif;color:black">Best Regards, </span><o:p></o:p></p>


<p style="mso-margin-top-alt:5.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;vertical-align:baseline">


<span style="font-family:"Arial",sans-serif;color:black">Nick Roy</span><o:p></o:p></p>


</div>


</div>


</div>


</div>


</body>


</html>