Versions Compared

Old Version 1

changes.mady.by.user Niels van Dijk

Saved on

compared with

New Version Current

changes.mady.by.user Niels van Dijk

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

For testing with SimpleSAMLPHP, see https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted for reference on how to configure SSP

Transient identifier scenarios

In a transient identifier scenario, the RP requests a transient identifier using the transient scope, and should receive a unique sub per transaction, regardless of which attributes we received from the SAML IdP as an identifier (even if this is a persistent Identifier)

The following scenarios need to be tested:

SAML NameID, eduPersonAffiliation and SchacHomeOrganization

ConfigurationParameters (for SSP)Expected Result

Transient SAML NameID, eduPersonAffiliation and SchacHomeOrganization

IdP: release

  • transient SAML nameID
  • edupersonaffiliation
  • schachomeorganization

RP request:

  • transient scope
  • student scope
NameIDFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oid:1.3.6.1.4.1.25178.1.2.9 = example.org
urn:oid:1.3.6.1.4.1.5923.1.1.1.1 = student

Student validation PASS
Affiliate validation PASS
Employee validation FAIL

RP

recieves

receives a new, unique sub for each transaction.




Transient SAML NameID, eduPersonScopedAffiliation

IdP: release

  • transient SAML nameID

  • eduPersonScopedAffiliation

RP request:

  • transient scope
  • student scope
NameIDFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oid:1.3.6.1.4.1.5923.1.1.1.9 = student@example.org

Student validation PASS
Affiliate validation PASS
Employee validation FAIL


RP
recieves
receives a new, unique sub for each transaction.



Transient SAML NameID, eduPersonPrincipleName, eduPersonScopedAffiliation

IdP: release

  • transient SAML nameID
  • edupersonPrincipleName

  • eduPersonScopedAffiliation

RP request:

  • transient scope
  • student scope

NameIDFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:transient

urn:oid:1.3.6.1.4.1.5923.1.1.1.6 = username@example.org

urn:oid:1.3.6.1.4.1.5923.1.1.1.9 = student@example.org

Student validation PASS
Affiliate validation PASS
Employee validation FAIL


RP
recieves
receives a new, unique sub for each transaction.



Transient SAML NameID, eduPersonUniqueID, eduPersonScopedAffiliation

IdP: release

  • transient SAML nameID
  • edupersonUniqueID

  • eduPersonScopedAffiliation

RP request:

  • transient scope
  • student scope

NameIDFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:transient

urn:oid:1.3.6.1.4.1.5923.1.1.1.13 = 3290vdsjk2njks9@example.org

urn:oid:1.3.6.1.4.1.5923.1.1.1.9 = student@example.org

Student validation PASS
Affiliate validation PASS
Employee validation FAIL


RP
recieves
receives a new, unique sub for each transaction.



Transient SAML NameID, eduPersonTargetedD, eduPersonScopedAffiliation

IdP: release

  • transient SAML nameID
  • edupersonUniqueID

  • eduPersonScopedAffiliation

RP request:

  • transient scope
  • student scope

NameIDFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:transient

urn:oid:1.3.6.1.4.1.5923.1.1.1.

13 = 3290vdsjk2njks9@example.org

10 = a6c2c4d4-08b9-4ca7-8ff9-43d83e6e1d35 

urn:oid:1.3.6.1.4.1.5923.1.1.1.9 = student@example.org

Persistent identifier scenario

Right so with the instance test the following, have a look at this:

...


For config of ssp for generating ePTiD, see https://simplesamlphp.org/docs/1.5/simplesamlphp-authproc#section_2_5

Student validation PASS
Affiliate validation PASS
Employee validation FAIL


RP receives a new, unique sub for each transaction.