NameID Decoding

It Meme it.meme01 at gmail.com
Thu Sep 8 00:36:29 BST 2011 

Hi Scott:

I suspected sometime was rotten - you have confirmed it.


> Why do you feel the need to use a NameID?

This was a request by a vendor service-now - there is a write-up on
this from University of Chicago:
https://docs.google.com/document/d/1yApSgHn0C02z09zYC3CD_edX7s3DbnuGgJ-kI-BhqYI/edit?hl=en_US&authkey=CPK1ppQN&pli=1

It looks like service-now can only accept NameIDs.

Would I do it something like the following? Feeding in our university
identifier instead?

How does the SP decode this?

Why would an application, like service-now, keen on the NameId?

         <resolver:AttributeDefinition id="transientId"
xsi:type="TransientId" xmlns="urn:mace:shibboleth:2.0:resolver:ad">

                    <resolver:AttributeEncoder
xsi:type="SAML1StringNameIdentifier"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"

nameFormat="urn:mace:shibboleth:1.0:nameIdentifier" />

                    <resolver:AttributeEncoder
xsi:type="SAML2StringNameID"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"

nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />

          </resolver:AttributeDefinition>



On Wed, Sep 7, 2011 at 4:20 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 9/7/11 7:09 PM, "It Meme" <it.meme01 at gmail.com> wrote:
>
>>The following lists the IdP & SP end-points for releasing the
>>university's ID, as a NameId
>
> Why do you feel the need to use a NameID?
>
>>That leads me to deduce that wither we are not handling the encoding
>>of the attribute, uniNameID, as a NameId, correctly or the SP is not
>>correctly configured to decode the attribute.
>
> You're definitely not doing the NameID thing. If you read the big red
> warning at the top of the exact topic that documents the attribute
> definition you're using, I think it's pretty clearly not what you think
> you're doing.
>
> "This does not define a <NameID> for use in the <Subject> of the
> assertion."
>
>>Any feedback on paths to investigate (or have we got our understanding
>>of NameID out-of-kilter?)
>
> My advice is stop trying to use NameIDs and just pass the value as a
> normal string or scoped attribute as desired.
>
> Alternatively if you really want to use a NameID, you're using the wrong
> approach and need to review this topic:
>
> https://wiki.shibboleth.net/confluence/display/SHIB2/IdPNameIdentifier
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>

More information about the users mailing list