> > 1) moonshot-tr-realm-targetedid
> > Value a SHA256 (?) hash of Gss-Acceptor-Realm, username, salt.
> > Represented as value@idp-realm
> > 2) moonshot-tr-coi-targetedid
> > Value a SHA 256 (?) hash of CoI-Identifier, username, salt. Represented as
> [log in to unmask]
>
> This sounds reasonable...
>
> The only change I would make is that it should be the NAI to be used in the
> hash (like the CUI code does right now).
+1
I really like this proposal. I also believe that we want to use these identifiers as name identifiers within SAML assertion requests subsequent to authentication (rather than acting merely as a key to mapping to a local account) by default. And so a requestor would use realm-targetedid to request attributes managed by the IdP, and coi-targetedid to request attributes managed by the CoI.
If nothing else, this discussion has convinced me that, for the sake of technical interoperability, we do need to consider the treatment of these AAA user identifiers within both the APC and CoI policies, in addition to treating system identifiers.
Josh.
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
|