Actually, i’m assuming we would want the IdP to choose which attribute is used in the hash in the FR config. E.g. at Cardiff I’d probably feed in the identity number of the user from LDAP rather than using username as I know that’s never reassigned, and would allow our users’ usernames to change without affecting their persistent ids.
Rhys.
--
Dr Rhys Smith
Identity, Access, and Middleware Specialist
Cardiff University & Janet, the UK's research and education network
email: [log in to unmask] / [log in to unmask]
GPG: 0x4638C985
On 17 Jun 2014, at 19:20, Rhys Smith <[log in to unmask]> wrote:
> Well, it doesn’t exist yet, so technically the answer is no :-).
>
> Why would you want the input to the hash be the NAI rather than the stripped username?
>
> Rhys.
> --
> Dr Rhys Smith
> Identity, Access, and Middleware Specialist
> Cardiff University & Janet, the UK's research and education network
>
> email: [log in to unmask] / [log in to unmask]
> GPG: 0x4638C985
>
> On 17 Jun 2014, at 19:10, Stefan Paetow <[log in to unmask]> wrote:
>
>>> * Type 5 UUIDs hash together a namespace (UUID) along with a name (string).
>>> I’d create four UUIDs that represent the four Moonshot identifiers for the namespaces.
>>> The name would be (username + salt + {GSS-Acceptor-Service-Name /
>>> GSS-Host-Name / GSS-Realm / CoI Name}).
>>
>> Just to clarify, the username there is still in full NAI format, yes?
>>
>> Stefan
>>
>> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
>> not-for-profit company which is registered in England under No. 2881024
>> and whose Registered Office is at Lumen House, Library Avenue,
>> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
>
|