Versions Compared

Old Version 3

changes.mady.by.user Wil Cooley

Saved on

compared with

New Version 4

changes.mady.by.user Wil Cooley

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Use attributes samlPairwiseID or samlSubjectID to identify users.

  • Entity ID should be a globally-addressable URL.

  • SAML certificates should be self-signed with a 10 year expiration.

Table of Contents
maxLevel6
minLevel1maxLevel6
include
outlinefalse
indentstylenone
excludeTL;DR
stylenone
typelist
classprintabletrue
class

User Identifiers

Do not use the “NameID” section of SAML assertions to identify users. Instead, use either the attribute samlPairwiseID or the attribute samlSubjectID.

The samlPairwiseID is unique for every service provider but based on the persistent PSU UUID. Because it is unique for every service provider, it is more difficult to misuse if stolen or sold. It is also scoped, having @pdx.edu appended.

The samlSubjectID is the PSU UUID with the @pdx.edu domain appended.

...

Neither of these identifiers are very user-friendly or familiar, however, so when displaying an identifier to the user, uid (username), or eduPersonPrincipalName (an email-like identifier) are better choices.

We strongly recommend against using the mail attribute as it often is not “uid@pdx.edu” and can easily change due to email aliases or account renames. Also, the domain for mail is different between production and non-production environments: @pdx.edu for production and @gtest.pdx.edu for stage. If the vendor or application insists on an attribute formatted like an email address that can also receive mail, use the eduPersonPrincipalName.

Refer also to “IAM Definitions: Identifiers”.

User Status

To determine if a user is “active” (i.e., a current student, employee or affiliate), use the multi-valuededuPersonScopedAffiliation attribute: All active users with a standard Odin account will have “member@pdx.edu”, along with other values like “student@pdx.edu” or “employee@pdx.edu”.

Provisional, limited lifetime and inactive users will not have “member@pdx.edu” among those roles; do not use the presence of “none@pdx.edu” as an indication that the user is inactive, as this is the result of a limitation of a part of our identity management systems and should not be relied upon.

To determine if a user is primarily a student or employee, use the single-valued eduPersonPrimaryAffiliation attribute: It will have “student”, “faculty”, “staff” or “affiliate”.

Note that in order to access records via Banweb, all users have accounts for life and are able to authenticate via SSO. Furthermore, provisional accounts can be created by anyone with nothing more than an external email address – these are also able to authenticate via SSO. Validating active users is mandatory; do not assume that a user successfully authenticating with SSO means this is an active student or employee! The Identity Provider cannot restrict these accounts from your application.

Kindly refer to “IAM Definitions: Roles”.

Entity ID

The entity ID of a Service Provider or Identity Provider is the global identifier for the service. The entity ID thus should reflect a name that is globally unique, so it should not include a hostname like “localhost”.

...