Versions Compared

Old Version 114

changes.mady.by.user Thijs Kinkhorst

Saved on

compared with

New Version 115

changes.mady.by.user Teun Fransen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The user's identity is transmitted in the form of the NameID element of the SAML statement. Every Identity Provider IdP must supply a NameID, but for privacy reasons SURFconext will generate a new one regardless. Because some software is (was) unable to read the NameID, this identifier , which is duplicated in the SAML attribute eduPersonTargetedID (see below).attribute eduPersonTargetedID.

To identify a user you must use NameID or eduPersonTargetedID. NameID Service Providers should use the NameID or eduPersonTargetedID (rather than email address, or other attributes that might change over time) to identify users. The NameId is guaranteed to be stable and never change for a fixed user (except in the case of transient identifiers, see below). It is generated SURFconext will generate a NameID for each new user by SURFconext and is based on a hash over the uid, schacHomeorganization (together a unique user accross the federation), the SP entityID and a secret. It is therefore both unique for that the user and specific to the SP, so SP's cannot correlate their received NameID's between eachother.

SURFconext can provide NameIDs of 2 different types:

  • A persistent identifier. A persistent NameID contains a random string that uniquely identifies the user for this SP, and which persists over multiple sessions for the same user.
  • A transient identifier. A transient NameID contain a random string that uniquely identifies the user for this SP during the session. Once the user's session at SURFconext expires and the users logs into your service once more, a new transient identifier will be generated for the user and SP.

Persistent and transient identifiers typically have the form 'bd09168cf0c2e675b2def0ade6f50b7d4bb4aaef'. However, please do not rely on the identifier being a hexadecimal string, as the syntax may change in the future.

The two supported NameID types, for respectively persistent and transient NameID specifiers, areeach other. There are two types of NameIDs:

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
    A persistent NameID contains a unique string identifying the user for this SP and persisting over multiple sessions.
  • urn:oasis:names:tc:SAML:2.0:nameid-format:transientformat:transient
    A transient NameID contains a unique string identifying the user for this SP during the session. If the user logs in again, a new transient identifier will be generated.

 

Attribute schemas

A schema is an abstract representation of an object's characteristics and relationship to other objects.

SURFconext supports two attributes attribute schemas: a

  • urn:oid schema (SAML2.0 compliant)

...

  •  
  • urn schema (SAML1.1 compliant) 

Both ) named urn schema. Both of these can be used to convey the same information (except for the NameID, which is only available in the the urn:oid schema schema). By default SURFconext will provide attributes in both schemata schemas as part of the assertion. It However it is not recommended to mix the use of these schemata, but for legacy reason SURFconext offers boththe schemas.

Attribute overview

SURFconext supported relaying of the following attributes:

...