[Satosa-dev] microservice for primary identifier

For example, the second element in the list is ['eppn', 'name_id:urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'] which means that the combination of eduPersonPrincipalName and SAML2 persistent NameID would be the identifier.

I think it is the best approach and will allow SATOSA to focus on doing fewer things well. But it does suggest we will want some type of "standard" for communicating the errors from SATOSA to the other service. Right now I am just redirecting the browser to the error service with a query string that includes the SP and IdP entityIDs so we can track which SPs users were trying to access and which IdPs did not give us anything we can use as an identifier. I am not particularly happy with that either but I need something right now and hope that some type of "standard" could evolve.

I don't think of it that way. I think of it as the only approach to be able to uniquely identify a user for a VO that federates widely across eduGAIN where the practice of what attributes an IdP will assert varies across the entire spectrum. Let me put it a different way to the list: if your SATOSA proxy is federating with IdPs from InCommon, most EU countries, Japan, Australia, Chile, and India, how do you make sure that you uniquely identify each user so that a simple SP behind the proxy can just look at $REMOTE_USER? Given the definition of the R&S entity category and that IdPs do re-assign ePPN, as well as the realities of IdPs only sending a targeted identifier sometimes, I don't see any way to do this other than use the ordered list I am proposing?

Thanks. I will look at that in more detail.