How to ask for Shib IdP returning a urn:mace:shibboleth:1.0:nameIdentifier

Nate Klingenstein ndk at
Wed Aug 1 20:51:20 EDT 2012


> What I want to know is, if SP specify transient, it is very clear  
> that the value will be a temporary number. but if SP specify "urn:mace:shibboleth:1.0:nameIdentifier 
> " as the format, SP still doesn't know what will be the value inside  
> the NameID. SP only knows that this value can represent this user.  
> It can be email address, give name, or what ever. This is defined by  
> IdP. Is that correct? Is there a place that defined what can be put  
> inside the "nameIdentifier" so IdP and SP will follow this rule?

urn:mace:shibboleth:1.0:nameIdentifier has reasonably precisely  
defined semantics.  See section 3.3 of the old Shibboleth specification:

It's effectively a legacy transientId for use with the Shibboleth  
edition of SAML 1.1.

> Also it says "urn.....shibboleth:1.0:nameIdentifier", does it mean  
> it only works for SAML1.0? If I send a SAML2.0 AuthnRequest, will  
> IdP return this?

The IdP could hypothetically be configured to send this NameID using  
the SAML 2.0 protocol, but I think that would be a very unwise choice.

There's a reason that identifiers are well-typed: so that the SP knows  
what, if anything, to do with them once they're received.  I'd  
strongly suggest choosing the right identifier type for the identifier  
you'd like to send.

If you have a use case that you'd like to discuss, please let us know.

Take care,
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list