Task #3394: Deploy Shibboleth provider for KNB LDAP accounts
Investigate using alternative CILogon DN format
We are currently looking at values akin to:
CN=Ben Leinfelder T6468,O=DataONE Test,C=US,DC=cilogon,DC=org
But we were curious if instead of a common name + random string you could just use the uid for our identities (mine is 'leinfelder'):
Our main concern is that the DN we get back from you contains random information that we do not have control over. I've also noticed some character encoding issues for our international users that have accents and such in their names:
CN=FlÃ\;¡\;via Pezzini T6456,O=Google,C=US,DC=cilogon,DC=org (Flávia Pezzini)
CN=JosÃ\;©\; Augusto Salim T6455,O=Google,C=US,DC=cilogon,DC=org (José Augusto Salim)
When I changed my name in Google for testing purposes, both of these issues were highlighted in the CILogon warning screen:
One or more of the attributes released by your organization has changed since the last time you logged on to the CILogon Service. This will affect your certificates as described below. The above changes to your attributes will cause your certificate subject to change. You may be required to re-register with relying parties using this new certificate subject.
Previous Subject DN: CN=ben leinfelder A756,O=Google,C=US,DC=cilogon,DC=org
Current Subject DN: CN=benjamÃn leinfelder A1806,O=Google,C=US,DC=cilogon,DC=org
Perhaps that is just par for the course and what we have signed up to deal with by using CILogon, but it seems like people could freely edit their names if we used UID in the DN instead of CN.
#1 Updated by Ben Leinfelder almost 9 years ago
From Jim Basney:¶
Under our current policy for the DataONE Test IdP we could do:
CN=Ben Leinfelder (leinfelder),O=DataONE Test,C=US,DC=cilogon,DC=org
but we aren't allowed to use "UID=" in the DN per http://www.ogf.org/documents/GFD.125.pdf.
Good questions about the UTF8 encoding. I need to defer to Terry on what's going on there. I agree it looks like a bug.
#3 Updated by Ben Leinfelder almost 9 years ago
- Status changed from New to Closed
- translation missing: en.field_remaining_hours set to 0.0
We've settled on the following DN format for our identities. This will only apply to accounts that use our IdPs: