generated from coulomb/repo-seed
Backfill all 23 research source notes with terminology extracts, modeling assumptions, conflicts, canonical mappings, and references. Refresh terminology artifacts, refine the conceptual model with explicit scenario paths, reconcile canon surfaces and open questions, and mark the workplan finished.
128 lines
5.7 KiB
Markdown
128 lines
5.7 KiB
Markdown
# SAML NameID Federation
|
|
|
|
## Source Type
|
|
|
|
Standard. OASIS SAML 2.0 Core and Profiles for Web Browser SSO; NameID formats
|
|
and federation metadata conventions.
|
|
|
|
## Domain
|
|
|
|
Enterprise federation, single sign-on, assertion semantics, and cross-domain
|
|
identity correlation.
|
|
|
|
## Why This Source Matters
|
|
|
|
SAML 2.0 remains central to enterprise federation. NameID formats, assertion
|
|
subject statements, attribute statements, and IdP/SP metadata define how
|
|
enterprise identities cross organizational boundaries.
|
|
|
|
## Key Concepts
|
|
|
|
- **Identity Provider (IdP)**: asserts authentication and attributes about a
|
|
subject to service providers.
|
|
- **Service Provider (SP)**: consumes assertions and establishes local session.
|
|
- **Assertion**: XML security token containing subject, conditions, authn
|
|
statements, and attribute statements.
|
|
- **Subject / NameID**: identifier for the principal at the IdP; carries
|
|
Format attribute defining syntax and semantics.
|
|
- **NameID formats**: transient, persistent, emailAddress, X509SubjectName,
|
|
kerberos, entity, unspecified, and others.
|
|
- **Persistent NameID**: stable, opaque identifier for a principal at an IdP.
|
|
- **Transient NameID**: one-time identifier for a single federation session.
|
|
- **AttributeStatement**: SAML attributes (mail, eduPersonPrincipalName, group
|
|
memberships) about the subject.
|
|
- **AuthnStatement**: authentication instant, session index, and context class.
|
|
- **AudienceRestriction**: scopes assertion to intended SP entity IDs.
|
|
- **Metadata**: XML describing IdP/SP endpoints, certificates, NameID formats,
|
|
and supported attributes.
|
|
- **Affiliation / discovery**: federations aggregate metadata for trust circles.
|
|
|
|
## Relevant Terminology
|
|
|
|
| Term | Source meaning |
|
|
| --- | --- |
|
|
| Principal | Authenticated entity; identified by NameID in assertion. |
|
|
| NameID | Subject identifier chosen by IdP; format determines semantics. |
|
|
| Persistent NameID | Long-lived opaque ID stable for principal at IdP. |
|
|
| Transient NameID | Ephemeral ID for one session; privacy-preserving. |
|
|
| Subject | SAML assertion subject element holding NameID. |
|
|
| Attribute | Named property asserted about subject. |
|
|
| EntityID | Unique identifier for IdP or SP in metadata. |
|
|
| Assertion | Signed statement about authentication and attributes. |
|
|
| SessionIndex | Handle for single logout correlation. |
|
|
| Audience | Intended SP for assertion consumption. |
|
|
|
|
## Modeling Assumptions
|
|
|
|
- **NameID is the primary correlation key** between IdP and SP for account
|
|
linking.
|
|
- **Format determines persistence and privacy**; persistent enables cross-
|
|
session linking, transient prevents it.
|
|
- **Principal means authenticated subject**, not a pre-provisioned local user.
|
|
- **Attributes are asserted**, not authoritative directory records in the SP.
|
|
- **Trust is pairwise** between IdP and SP via metadata exchange.
|
|
- **Groups may appear as attributes**, not as first-class relationship tuples.
|
|
- **Federation operates across organizational boundaries**; each side
|
|
maintains its own namespace.
|
|
|
|
## Identity-Canon Implications
|
|
|
|
- SAML **NameID** maps to **Identifier** or **Scoped Identifier** depending
|
|
on format (persistent vs. transient).
|
|
- **Persistent NameID** supports **Synonymity Assertion** linking SP local
|
|
Account to IdP identifier.
|
|
- **Transient NameID** maps to session-scoped **Scoped Identifier** with no
|
|
cross-session synonymity.
|
|
- **Principal** in assertion maps to **Authenticated Subject** projection.
|
|
- **AttributeStatement** attributes map to **Claim** objects.
|
|
- **EntityID** maps to **Scope** identifier for IdP/SP.
|
|
- **AudienceRestriction** maps to Scope boundary for assertion validity.
|
|
- **Attribute-based group membership** maps to **Claim** (group attribute) or
|
|
Membership hint, not canonical Group unless provisioned.
|
|
- Supports S02 (multi-scope accounts), S13 (strong link via persistent NameID).
|
|
|
|
## Terminology Conflicts
|
|
|
|
- **Principal vs. Subject**: SAML uses both; principal is authenticated entity,
|
|
subject is XML element.
|
|
- **Principal vs. Authorization Principal**: SAML principal is auth subject,
|
|
not Cedar principal.
|
|
- **Persistent vs. Pairwise**: SAML persistent NameID is IdP-wide stable;
|
|
OIDC pairwise is RP-specific.
|
|
- **NameID vs. emailAddress format**: email as identifier conflates Identifier
|
|
with contact attribute.
|
|
- **Attribute vs. Claim**: SAML attribute is XML element; canon Claim is
|
|
issuer statement — compatible but different syntax.
|
|
|
|
## Candidate Canonical Mappings
|
|
|
|
| SAML concept | Candidate canonical concept |
|
|
| --- | --- |
|
|
| NameID (persistent) | Identifier |
|
|
| NameID (transient) | Scoped Identifier (session-bound) |
|
|
| NameID (emailAddress) | Identifier (with attribute conflation risk) |
|
|
| Principal | Authenticated Subject |
|
|
| Subject element | Protocol binding for Authenticated Subject |
|
|
| AttributeStatement attribute | Claim |
|
|
| EntityID (IdP/SP) | Scope identifier |
|
|
| Assertion | Credential / signed assertion |
|
|
| Audience | Scope boundary |
|
|
| SessionIndex | Session correlation reference (projection) |
|
|
| SP local account mapping | Synonymity Assertion |
|
|
|
|
## Open Questions
|
|
|
|
- Should persistent NameID map to strong Synonymity by default, or only after
|
|
SP verification (S13)?
|
|
- How should eduPerson / SCHAC attribute vocabularies map to Profile vs. Claim?
|
|
- Does transient NameID session scope warrant a distinct Lifecycle State on the
|
|
Scoped Identifier?
|
|
- Should federation metadata trust map to **Trust Relationship** with
|
|
certificate Evidence Source?
|
|
|
|
## References
|
|
|
|
- SAML 2.0 Core — http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
|
|
- SAML 2.0 Profiles — http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
|
|
- SAML NameID Format URIs — http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf (§8.3)
|
|
- REFEDS entity categories — https://refeds.org/category |