How to ask for Shib IdP returning a urn:mace:shibboleth:1.0:nameIdentifier

Yaowen Tu yaowen.tu at gmail.com
Wed Aug 1 21:10:02 EDT 2012 

Thanks a lot for your answer.

One use case I want to confirm is that, if I send this SAML2.0 AuthnRequest:

<saml2p:AuthnRequest AssertionConsumerServiceURL="..." Destination="
https://localhost/idp/profile/SAML2/Redirect/SSO" ID="
_a90ed2b44c1d25860c411e0ab27a9edd"
IssueInstant="2012-07-31T18:21:28.759Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="
2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
   .....
  </saml2:Issuer>
  <saml2p:NameIDPolicy AllowCreate="true" Format="
urn:mace:shibboleth:1.0:nameIdentifier"/>
</saml2p:AuthnRequest>

First of all, is this a valid AuthnRequest? Because I am using SAML2, but
in NameIDPolicy, I specified urn:mace:shibboleth:1.0:nameIdentifier..

In order to comply with the SAML2.0 standards, what should be replied from
IdP? OOTB Shib IdP will return a NameID with format of
urn:oasis:names:tc:SAML:2.0:nameid-format:transient.

Best,
Yaowen


On Wed, Aug 1, 2012 at 5:51 PM, Nate Klingenstein <ndk at internet2.edu> wrote:

> Yaowen,
>
> What I want to know is, if SP specify transient, it is very clear that the
> value will be a temporary number. but if SP specify "
> urn:mace:shibboleth:1.0:nameIdentifier" as the format, SP still doesn't
> know what will be the value inside the NameID. SP only knows that this
> value can represent this user. It can be email address, give name, or what
> ever. This is defined by IdP. Is that correct? Is there a place that
> defined what can be put inside the "nameIdentifier" so IdP and SP will
> follow this rule?
>
>
> urn:mace:shibboleth:1.0:nameIdentifier has reasonably precisely defined
> semantics.  See section 3.3 of the old Shibboleth specification:
>
>
> https://wiki.shibboleth.net/confluence/download/attachments/2162702/internet2-mace-shibboleth-arch-protocols-200509.pdf?version=1&modificationDate=1336585664438
>
> It's effectively a legacy transientId for use with the Shibboleth edition
> of SAML 1.1.
>
> Also it says "urn.....shibboleth:1.0:nameIdentifier", does it mean it
> only works for SAML1.0? If I send a SAML2.0 AuthnRequest, will IdP return
> this?
>
>
> The IdP could hypothetically be configured to send this NameID using the
> SAML 2.0 protocol, but I think that would be a very unwise choice.
>
> There's a reason that identifiers are well-typed: so that the SP knows
> what, if anything, to do with them once they're received.  I'd strongly
> suggest choosing the right identifier type for the identifier you'd like to
> send.
>
> If you have a use case that you'd like to discuss, please let us know.
>
> Take care,
> Nate.
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120801/7d15e999/attachment-0001.html

More information about the users mailing list