Open faragom opened 3 years ago
A practical case that wa son the mails. I document it here
For an module like EduGAIN, whe multiple attributes can be available or not, depending on the IdP, we need a persistent and robust way to determin the identifier, by establishing a strict order for the attributes to be checked if existing and used:
identity_issuer
:
schacHomeOrganization
o
eduPersonOrgDN
"default-issuer"
subject
:
schacPersonalUniqueID
schacPersonalUniqueCode
eduPersonTargetedID
eduPersonPrincipalName
"default-subject"
As discussed on the mail thread:
eduPersonTargetedID
from the list.urn:oasis:names:tc:SAML:attribute:subject-id
to the list (as it is expected to be widely supported in the future)schacPersonalUniqueID
schacPersonalUniqueCode
urn:oasis:names:tc:SAML:attribute:subject-id
eduPersonPrincipalName
"default-subject"
This spec proposal derives from this discussion , although it is quite different. We decided to postpone implementing this to a later stage.
Background
Currently, the SP can specify a source to be queried directly, by providing the name of a source on the
spSource
parameter (each SM ms is responsible to define how this attribute is passed on the SP request protocol)Direct data sources do not need any extended behaviour: they return a single data object, so the response is built from it (by returning all the attributes or the intersection between the received and the requested attributes)
But PDS (and SSI, this spec could be extended for that case) hold multiple data sets and link objects, which requires the user to choose the object(s) to build the response from.
Each dataset or link object has a well established and persistent identifier as the
storeEntry
identifier that, as recommended, must have a hierarchical and structured syntax.This user experience can be improved by allowing the SP to specify a list of dataSets and/or Links to retrieve from the PDS source
Considerations
We can extend the syntax of the
spSource
parameter to allow specifying this list of objects to retrieve.The SP object selection can be treated in three ways:
force
: Skip the selector and return the SP-selected objectsconsent
: Show the selector anyways, but with the SP-selected objects marked and not editable, so the user can just consent to the transfer of all or nothing.suggest
: Show the selector anyways, but with the SP-selected objects pre-marked, but allwoing the user to unmark and select others at willWe can add a parameter to select the proper behaviour the SP wants on each occasion.
As we define a syntax for this selector string, we need to fix a syntax for storeEntry object identifiers as well:
storeEntry.id syntax
:
as a field separatorurn:mace:project-seal.eu:id:
Proposed syntaxes:
PDS search string syntax
Main syntax rules:
Syntax of the search string:
source_id
: The name of the source connected to SEAL we want to query. For this case, it will always be 'PDS'.mode
: (optional)(default:force
), the user interaction mode as described above:suggest
,force
,consent
entry_id_prefix
: any prefix (or full string) of astoreEntry.id
to match with.;
separated listSearch
storeEntry.id
would be searched in prefix-mode, but allowing wildcards*
character.storeEntry.id
(ignoring the wildcarded parts) matches the search, are selected.Example:
Examples
Given all the above, here are examples of the incremental syntax we propose:
Requesting PDS source only (selector of objects will be shown):
Requesting PDS source and an eIDAS dataset (any eIDAS dataset from any country, with default behaviour):
Requesting PDS source and an spanish eIDAS dataset and asking for consent:
Requesting PDS source and an spanish eIDAS dataset, with its link to an uji.es identity (from any link module and issuer):