How to ask for Shib IdP returning a urn:mace:shibboleth:1.0:nameIdentifier
Nate Klingenstein
ndk at internet2.edu
Wed Aug 1 20:51:20 EDT 2012
Yaowen,
> What I want to know is, if SP specify transient, it is very clear
> that the value will be a temporary number. but if SP specify "urn:mace:shibboleth:1.0:nameIdentifier
> " as the format, SP still doesn't know what will be the value inside
> the NameID. SP only knows that this value can represent this user.
> It can be email address, give name, or what ever. This is defined by
> IdP. Is that correct? Is there a place that defined what can be put
> inside the "nameIdentifier" so IdP and SP will follow this rule?
urn:mace:shibboleth:1.0:nameIdentifier has reasonably precisely
defined semantics. See section 3.3 of the old Shibboleth specification:
https://wiki.shibboleth.net/confluence/download/attachments/2162702/internet2-mace-shibboleth-arch-protocols-200509.pdf?version=1&modificationDate=1336585664438
It's effectively a legacy transientId for use with the Shibboleth
edition of SAML 1.1.
> Also it says "urn.....shibboleth:1.0:nameIdentifier", does it mean
> it only works for SAML1.0? If I send a SAML2.0 AuthnRequest, will
> IdP return this?
The IdP could hypothetically be configured to send this NameID using
the SAML 2.0 protocol, but I think that would be a very unwise choice.
There's a reason that identifiers are well-typed: so that the SP knows
what, if anything, to do with them once they're received. I'd
strongly suggest choosing the right identifier type for the identifier
you'd like to send.
If you have a use case that you'd like to discuss, please let us know.
Take care,
Nate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120802/8c02c8c6/attachment.html
More information about the users
mailing list