folks, we're starting to see a bit of divergence in how people are
looking at identity in moonshot.
At one level we can leave this to COI policy. However, it seems like
more standardization would be desirable.
Here's what I've seen:
* The gss-eap code treats username specially. If the IDP sends back a
user-name attribute then the gss-eap will take that name and use it as
the name that gss_accept_sec_context and gss_indicate_context use for
the application. Our apache module, and most SASL applications will
depend on this.
* Diamond went a different direction and decided to map
Chargable-User-Identity into an identifier that gets mapped eventually
into local-login-user.
* Some folks have been looking at using the EPN in SAML assertions for
the same or a similar purpose.
This is all kind of a mess and I think we should work to find guidance
in this space.
--Sam
|