 |
 |
This is one of the reasons why we (at Diamond) require something like CUI, which, together with a user-controlled interface (like our User Office System), allows the users to create the link between their identity at their home organisation and their identity at the facility (i.e. the RP). CUI is anonymous in the sense that no-one but the home organisation (i.e. the IdP of the user) knows what the real identity was, but at the same time, it is unique to the user (i.e. identifying the user without saying who they are). Whether the link is created in a database (as STFC and we have done), or via an LDAP attribute, that's just a technical issue. From what I understand, the only reasons why CUI is not part of eduroam requirements yet are because there are several RADIUS servers out there (amongst them Microsoft NPS) which do not support it, and there are concerns that as much as it is just a hash, it could be considered personally-identifiable information, which again falls under data protection legislation. Regards Stefan ________________________________________ From: Cantor, Scott [[log in to unmask]] Sent: Friday, February 28, 2014 5:02 PM To: [log in to unmask] Subject: Re: Mapping users to their accounts On 2/28/14, 11:53 AM, "Gabriel López" <[log in to unmask]> wrote: > >Well, I'm talking about to present a outer anonymous identity (@realm) >to the RP and an inner identity (user@realm) to the idP, in the way >eduroam works. Yes, and I think eduraom is also problematic for the same reason (unless you just don't factor privacy in as a realistic goal). Us geeks might enter anonymous@realm, but typical users won't. -- Scott -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom