UPDATE ......From Tuesday 8 April 2025 we have changed the way that Single Sign-on works on this wiki. Please see here for more information:
Update
...
- CN attribute shall be a combination of the SAML attribute "displayName" and the eduPersonUniqueID
- If eduPersonUniqueID is not released eduPersonPrincipalName shall be used
- if eduPersonPrincipalName is not released eduPersonTargetedID shall be used
- The CA must ensure that the CN is unique within their namespace
- The RFC (5280 or 2459 to check) limits the length of the CN field to 64 characters. The string obtained as a combination of displayName+eduPUID may be longer than the limit. The CA must therefore re-hash the eduPUID to use a shorter, but globally unique, version of the user unique identifier.
- The re-hashing makes impossible for the e-infrastructure to map univocally the user's UID provided by the IdP to the certificate DN. This information can be provided by the CA as part of an incident response procedure.
- The CA must publish publicly the re-hashing algorithm, any change to the algorithm should follow a clear procedure to communicate the changes to all stakeholders. In this way the e-infrastructure can calculate the re-hashed user eduPUID used in the certificate and store the information internally, for a quicker incident response procedure.
Recommendations for the O= fields
The "O=" fields contain information about the organization of the user. The certification authority should add the values of the following SAML attributes as separate "/O=" fileds in the certificate DN:
- schacHomeOrganisation
- organisationDisplayName
- domain name of the IdP entity ID URL
example:
- "/O=fullyQualifiedNameOrganizationA/O=OrganizationA/O=idp.organizationa.org"
References
•MJRA1.3: Design for the integration of an Attribute Management Tool
...