What do you mean by "Issuer on mapping"? Is it like writing to LDAP not just a social id but issuer as well, so that registeredSocialId attribute will have "google:id" combination, and then "Social Dir" disambiguation will be (registeredSocialId=google:[id-from-login]). This will require "Social Dir per Vendor", right?
- CB: Yes, something like that. In our scenario we actually have separate attributes - since they already existed in the enterprise directory, indexed, and managed so was easy to piggy back on them - so like googleId=[id-from-login], facebookId=[id-from-login]. For certificate authentication then we piggy back on Microsoft's altSecurityIdentity (ASI) concept which is like "X509:<I>[issuer from cert]<S>[subject from cert]" and can be multi-valued this way it ensures guaranteed uniqueness across the dozens of external CAs we trust and Issuer A cannot impersonate Issuer B users by having the same subject.
Using a scoped attribute at registration time, such as you mention (registeredSocialId=google:[id-from-login]), would do similar; that was our long-term goal but for now using multiple attributes. This way if the user came from say a compromised WeakIDP but used the same email then the search should fail because you'd end up with a search like (registeredSocialId=WeakIDP:[id-from-login]) and not find the user. If the legit user came in from Google then it'd pass because now the search would be for the proper (registeredSocialId=google:[id-from-login]).
With that type of setup you'r helping to ensure uniqueness to a specific IDP versus a generic attribute like email address (which can be re-used and also changed). There may be cases where email is still used - due to guaranteed unique from IDP - but should still always be combined with Issuer in some fashion.
The OIDC specs has some input regarding this as well with statements such as:
5.7: "The sub (subject) and iss (issuer) Claims, used together, are the only Claims that an RP can rely upon as a stable identifier for the End-User, since the sub Claim MUST be locally unique and never reassigned within the Issuer for a particular End-User, as described in Section 2. Therefore, the only guaranteed unique identifier for a given End-User is the combination of the iss Claim and the sub Claim"
16.15: ""OpenID Connect treats the path component of any Issuer URI as being part of the Issuer Identifier. For instance, the subject "1234" with an Issuer Identifier of "https://example.com" is not equivalent to the subject "1234" with an Issuer Identifier of "https://example.com/sales"."
One other benefit with tracking and leveraging trusted Issuer overall is also getting into more attribute based access control. For example, if I have a rule set that says anyone from WidgetCorp that is a Developer and logged in via MFA should have access to DevResources, then by closely tracking and leveraging the Issuer at linking and session, I can now assert and trust that UserMike is from WidgetCorp, used a strong cred and they asserted he is a Developer therefore allow access. So now, by having that trust with WidgetCorp, anyone that is a developer gets instant access to DevResources by simply authenticating through them into the asset and coming in with appropriate claims. Without closely tracking and monitoring the Issuer and who actually asserted the identity, I can't know for certain that the user is in fact associated with that organization and would always be reliant on some other mechanism to track access (internal role based, SCIM, etc). Social Login doesn't fall much into that realm, but something to consider for other higher level trusts where knowing that kind of information is vital.
-Identity mapping to "Normal Dir". You mean an identity mapping where Source: "Normal Dir" and Target: "Social Dir", another mapping Source: "Normal Dir" and Target: "SomeOther"? I made this work, but it looks counterintuitive to me. If my application has "Normal Dir" and a user accesses it after OAuth authentication with "Social Dir" a logical mapping would be from "Social Dir" to "Normal Dir".
Mapping this way:
"Social Dir" -- target -> "Normal Dir" .
"SomeOther" -- target -> "Normal Dir".
Basically just a big loopback and using the "virtual directories" (if you consider them that way) to adjust the LDAP search strings as needed (objectClass, ldap base, so on).
Then the only application that needs to assign the "Social Dir" and "SomeOther" would be the centralized credential collector since it has to authenticate to that directory first. THEN the mapping kicks in and attaches user to the "Normal Dir" for subsequent app access.