For testing with SimpleSAMLPHP, see https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted for reference on how to configure SSP

In a persistent identifier scenario, the RP requests a persistent identifier using the persistent scope, and should receive a pairwise sub per RP, regardless of which persistent Identifier attributes we received from the SAML IdP as an identifier.
We cannot deliver a persistent Identifier if we do not get any persistent Identifier from the SAML IdP

The following scenarios need to be tested:

ConfigurationParameters (for SSP)Expected Result

Transient SAML NameID, eduPersonAffiliation and SchacHomeOrganization

IdP: release

  • transient SAML nameID
  • edupersonaffiliation
  • schachomeorganization

RP request:

  • persistent scope
  • student scope
NameIDFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oid:1.3.6.1.4.1.25178.1.2.9 = example.org
urn:oid:1.3.6.1.4.1.5923.1.1.1.1 = student
  • TRANSACTION MUST FAIL, as we have no persistent ID to base our response on.
  • Redirect to invalid attributes page



Transient SAML NameID, eduPersonScopedAffiliation

IdP: release

  • transient SAML nameID

  • eduPersonScopedAffiliation

RP request:

  • persistent scope
  • student scope
NameIDFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oid:1.3.6.1.4.1.5923.1.1.1.9 = student@example.org
  • TRANSACTION MUST FAIL, as we have no persistent ID to base our response on.
  • Redirect to invalid attributes page





Transient SAML NameID, eduPersonPrincipleName, eduPersonScopedAffiliation

IdP: release

  • transient SAML nameID
  • edupersonPrincipleName

  • eduPersonScopedAffiliation

RP request:

  • persistent scope
  • student scope

NameIDFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:transient

urn:oid:1.3.6.1.4.1.5923.1.1.1.6 = username@example.org

urn:oid:1.3.6.1.4.1.5923.1.1.1.9 = student@example.org

  • Student validation PASS
  • Affiliate validation PASS
  • Employee validation FAIL
  • RP receives a pairwise sub for each transaction.
  • edupersonPrincipleName is the basis for the pairwise sub value



Transient SAML NameID, eduPersonUniqueID, eduPersonScopedAffiliation

IdP: release

  • transient SAML nameID
  • edupersonUniqueID

  • eduPersonScopedAffiliation

RP request:

  • persistent scope
  • student scope

NameIDFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:transient

urn:oid:1.3.6.1.4.1.5923.1.1.1.13 = 3290vdsjk2njks9@example.org

urn:oid:1.3.6.1.4.1.5923.1.1.1.9 = student@example.org
  • Student validation PASS
  • Affiliate validation PASS
  • Employee validation FAIL
  • RP receives a pairwise sub for each transaction.
  • edupersonUniqueID is the basis for the pairwise sub value



Transient SAML NameID, eduPersonTargetedD, eduPersonScopedAffiliation

IdP: release

  • transient SAML nameID
  • edupersonTargetedID

  • eduPersonScopedAffiliation

RP request:

  • persistent scope
  • student scope

NameIDFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:transient

urn:oid:1.3.6.1.4.1.5923.1.1.1.10 = a6c2c4d4-08b9-4ca7-8ff9-43d83e6e1d35 

urn:oid:1.3.6.1.4.1.5923.1.1.1.9 = student@example.org


For config of ssp for generating ePTiD, see https://simplesamlphp.org/docs/1.5/simplesamlphp-authproc#section_2_5

  • Student validation PASS
  • Affiliate validation PASS
  • Employee validation FAIL
  • RP receives a pairwise sub for each transaction.
  • edupersonTargetedID is the basis for the pairwise sub value



Persistent SAML NameID, eduPersonAffiliation and SchacHomeOrganization

IdP: release

  • persistent SAML nameID
  • edupersonaffiliation
  • schachomeorganization

RP request:

  • persistent scope
  • student scope
NameIDFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oid:1.3.6.1.4.1.25178.1.2.9 = example.org
urn:oid:1.3.6.1.4.1.5923.1.1.1.1 = student
  • Student validation PASS
  • Affiliate validation PASS
  • Employee validation FAIL
  • RP receives a pairwise sub for each transaction.
  • persistent SAML nameID is the basis for the pairwise sub value



Persistent SAML NameID, eduPersonScopedAffiliation

IdP: release

  • transient SAML nameID

  • eduPersonScopedAffiliation

RP request:

  • persistent scope
  • student scope
NameIDFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oid:1.3.6.1.4.1.5923.1.1.1.9 = student@example.org
  • Student validation PASS
  • Affiliate validation PASS
  • Employee validation FAIL
  • RP receives a pairwise sub for each transaction.



Persistent SAML NameID, eduPersonPrincipleName, eduPersonScopedAffiliation

IdP: release

  • persistent SAML nameID
  • edupersonPrincipleName

  • eduPersonScopedAffiliation

RP request:

  • persistent scope
  • student scope

NameIDFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

urn:oid:1.3.6.1.4.1.5923.1.1.1.6 = username@example.org

urn:oid:1.3.6.1.4.1.5923.1.1.1.9 = student@example.org

  • Student validation PASS
  • Affiliate validation PASS
  • Employee validation FAIL
  • RP receives a pairwise sub for each transaction.
  • We must use the SAML nameID to base our identifier on, as ePPN may be reassigned.



Persistent SAML NameID, eduPersonUniqueID, eduPersonScopedAffiliation

IdP: release

  • transient SAML nameID
  • edupersonUniqueID

  • eduPersonScopedAffiliation

RP request:

  • persistent scope
  • student scope

NameIDFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

urn:oid:1.3.6.1.4.1.5923.1.1.1.13 = 3290vdsjk2njks9@example.org

urn:oid:1.3.6.1.4.1.5923.1.1.1.9 = student@example.org
  • Student validation PASS
  • Affiliate validation PASS
  • Employee validation FAIL
  • RP receives a pairwise sub for each transaction.
  • We must use the edupersonUniqueID to base our identifier on, as ePPN may be reassigned.



Persistent SAML NameID, eduPersonTargetedD, eduPersonScopedAffiliation

IdP: release

  • transient SAML nameID
  • edupersonTargetedID

  • eduPersonScopedAffiliation

RP request:

  • persistent scope
  • student scope

NameIDFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

urn:oid:1.3.6.1.4.1.5923.1.1.1.10 = a6c2c4d4-08b9-4ca7-8ff9-43d83e6e1d35 

urn:oid:1.3.6.1.4.1.5923.1.1.1.9 = student@example.org


For config of ssp for generating ePTiD, see https://simplesamlphp.org/docs/1.5/simplesamlphp-authproc#section_2_5
  • Student validation PASS
  • Affiliate validation PASS
  • Employee validation FAIL
  • RP receives a pairwise sub for each transaction.
  • We must use the edupersonTargetedID to base our identifier on, as ePPN may be reassigned.
  • No labels