Date: Fri, 29 Mar 2024 12:26:55 +0000 (UTC) Message-ID: <525995885.7947.1711715215727@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_7946_1945547063.1711715215725" ------=_Part_7946_1945547063.1711715215725 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
This page gives some examples of how attributes which are asserted by so= cial identity providers (via both OAuth and OpenID) could be mapped to MACE= -Dir/SAML attributes.
Caution
In most cases, it still needs to be verified whether the value for eduPersonTargetedID
is unique for a given person and service.
Facebook supports a proprietary SSO protocol built on top of OAuth.
eduPerson Attribute |
Facebook Attribute |
Example Value |
Notes |
---|---|---|---|
|
|
Lucas |
|
|
|
Rockwell |
|
|
|
Lucas Rockwell |
See |
|
|
Lucas Rockwell |
Duplicate of |
|
|
lr@lucasrockwell.com |
|
|
|
lucasrockwell |
Can be blank, and a user can change this once= for the lifetime of their account. |
|
|
lucasrockwell@facebook.com= p> |
|
|
|
*http://facebook.com!1= 2...71* |
|
Google supports two standard SSO protocols: OpenID 2.0 and OpenID C= onnect. The latter is an emerging IETF standard profile of OAuth2.
eduPerson Attribute |
Google Attribute |
Example Value |
Notes |
---|---|---|---|
|
|
Lucas |
|
|
|
Rockwell |
|
|
|
|
Google does not provide |
|
|
|
Google does not provide |
|
|
lucasrockwell@gmail.com <= /td> |
|
|
|
|
Google does not provide |
|
|
lucasrockwell@gmail.com <= /td> | Using http://axschema.=
org/contact/email for |
|
Private Personal Identifier (PPID) |
** |
An opaque, per-SP identifier, just like ePTID= |
eduPerson Attribute |
Google Attribute |
Example Value |
Notes |
---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
LinkedIn supports a proprietary SSO protocol built on top of OAuth.
eduPerson Attribute |
LinkedIn Attribute |
Example Value |
Notes |
---|---|---|---|
|
|
Lucas |
|
|
|
Rockwell |
|
|
|
|
LinkedIn does not provide |
|
|
|
LinkedIn does not provide |
|
|
|
LinkedIn does not provide |
|
|
Y...r |
|
|
|
Y...r@linkedin.com |
Local part is the same value as |
|
|
*http://linkedin.com!Y= ...r* |
Unique value is the same value as |
Twitter supports a proprietary SSO protocol built on top of OAuth.
eduPerson Attribute |
Twitter Attribute |
Example Value |
Notes |
---|---|---|---|
|
|
|
Twitter does not provide |
|
|
|
Twitter does not provide |
|
|
Lucas Rockwell |
|
|
|
Lucas Rockwell |
|
|
|
|
Twitter does not provide |
|
|
lucasrockwell |
|
|
|
lucasrockwell@twitter.com |
|
|
|
*http://twitter.com!1.= ..5* |
|
Windows Live supports a proprietary SSO protocol built on top of OAuth.<= /p>
eduPerson Attribute |
Windows Live Attribute |
Example Value |
Notes |
---|---|---|---|
|
|
Lucas |
|
|
|
Rockwell |
|
|
|
|
Windows Live does not provide |
|
|
|
Windows Live does not provide |
|
|
lr@lucasrockwell.com |
This is not necessarily an address @hotmail.c= om. |
|
|
fd...89 |
|
|
|
fd...89@windowslive.com <= /td> | Local part is the same value as |
|
|
*http://windowslive.co= m!fd...89* |
Unique value is the same value as |
The matrix below lists various attributes and which providers supply tho= se attributes. Note: This table is not complete.
Provider |
First Name |
Last Name |
Transient Email* |
Persistent Email |
Human-readable Unique ID |
Machine-readable Unique ID |
SP-specific ID |
---|---|---|---|---|---|---|---|
|
(Have not verified this yet.) |
(Have not verified this yet.) |
|||||
Google OpenID Connect |
|
(Email...) |
(Appears user can only look it up if Google+ is enabled for the ac= count.) |
|
|||
Google OpenID 2.0 |
|
(Email...) |
|
(The OpenID can either be set for the SP realm, or the domain real=
m, so only SP-specific if you ask Google to do that for you.) |
|||
|
(Only if enabled via the Public Profile Settings =
page, however, a user can change this at will.) |
||||||
|
|
(Have not verified this yet.) |
(Have not verified this yet.) |
||||
Windows Live |
|
(Email, but there is more than one, so perhaps not...)= p> |
(Have not verified this yet.) |
(Have not verified this yet.) |
Notes
* Unless the email address ends in the domain of the provider, then the = likelihood that the the user can change at their whim is pretty high. This = is great if you are using email as email, i.e., you want to actually know t= he user's email address. On the other hand, this can have very significant = impacts on your service if you are trying to use email as the basis for edu= PersonPrincipalName.