OK, so we’re looking at the following - from most to least privacy preserving.
1) AAA attribute of moonshot-service-targetedid.
* A persistent identifier per user, per service
* Value a hash of Gss-Acceptor-Service-Name, NAI, salt.
* Representation: [log in to unmask] e.g. [log in to unmask]
2) AAA attribute of moonshot-realm-targetedid.
* A persistent identifier per user, common across all services within a particular RP realm
* Value a hash of Gss-Acceptor-Realm-Name, NAI, salt.
* Representation: [log in to unmask] e.g. [log in to unmask]
3) AAA attribute of moonshot-tr-coi-targetedid.
* A persistent identifier per user, common across all services within a particular COI.
* Value a hash of CoI-Identifier, NAI, salt.
* Represented as [log in to unmask] e.g. [log in to unmask]
Where of course on that scale there’s also the following:
0) Don’t send anything. Anonymous access, apart from the RP knowing the IdP.
4) AAA attribute of User-Name - persistent identifier per user across all services, not opaque.
Recommendation would typically be to send moonshot-service-targetedid by default, and moonshot-realm-targetedid if the IdP trusts the realm enough to do so or the COI policy requires it, ditto moonshot-tr-coi-targetedid. User-Name only where absolutely required and policy in place that details its protection.
Does that look suspiciously like a conclusion?
Rhys.
--
Dr Rhys Smith
Identity, Access, and Middleware Specialist
Cardiff University & Janet, the UK's research and education network
email: [log in to unmask] / [log in to unmask]
GPG: 0x4638C985
On 30 May 2014, at 15:37, Sam Hartman <[log in to unmask]> wrote:
> Josh, thanks.
> That explanation helps a lot.
>
> I suggest that there's one case where we might want to come up with a
> recommendation (not in aaa-saml) for what mapping to do. The case where
> you have a SAML AA but no SAML assertion in the request and need to map
> COI-scoped AAA identifiers. I think this case will come up for the
> managed portal project we were talking about with per-user COI
> membership and entitlements.
>
> Besides that, I think we have things under control.
>
> It seems reasonable to me to commit to option 1 (AAA-style identifiers)
> for AAA attributes.
|