...
The discussion focused mainly around EPPN and email. The question of whether or not it is acceptable to use email as EPPN was discussed, and the general feeling was this is not a good idea, but it really is up to the SP/application admin to determine how he/she wants to consume attributes. However, some requirements (eg "advance predictability") may make the email choice more attractive. Scott also noted that shibd is highly configurable, so if the Gateway issued an attribute in one format, shibd could easily rewrite it so the SP could consume it in a format it expects.
...
Several options were discussed regarding how to provision a user using their social identifier. Steven gave an example of an application where students will need to grant access to their supervisor from their summer internship, and the supervisor will be logging in via a social provider. Ideally, the user could just enter their supervisor’s social username into the application. Of course, this works great for services where you know the username, like Twitter and Facebook. This use case could also be addressed by having the student enter a social email address, and sending an INVITE to that address. The EPPN would be obtained when the user returns.
| Tip | ||
|---|---|---|
| ||
Instead of asking end users to provide their social identifier (or the identifiers of others), ask them for an email address. Later, when the user logs into your app in response to an email invitation, map the identifier asserted by the social IdP to the email address originally provided by the user. |
...