On the subject of security domains, the UK Federation's 'Technical
Recommendations' says in section 7.1.1:
"Institutions in the HE/FE sector are recommended to use their
principal institutional domain name as their scope".
Taken with section 7.1.4 about eduPersonPrincipalName, which says
"This attribute ... typically corresponds to the identifier which a
user presents when authenticating to local institutional services
(i.e., the user's single-signon name or netID)".
this means that my ePPN would be [log in to unmask] which you will notice
is textually identical to my e-mail address. I can see two problems with
this - it will be difficult to convince users that we are _not_ releasing
their email address when we release their ePPN, and some SPs (particularly
internal ones) may try to use ePPN as an email address which, in
Cambridge, will work for some but not all people.
I'm tempted to use a scope below our institutional domain, perhaps
idp.cam.ac.uk, and some other persistent identifier to construct ePPNs.
Would this be foolish? Am I worrying unnecessarily?
Jon.
--
Jon Warbrick
Web/News Development, Computing Service, University of Cambridge
|