How to ask for Shib IdP returning a urn:mace:shibboleth:1.0:nameIdentifier
Yaowen Tu
yaowen.tu at gmail.com
Thu Aug 2 14:10:03 EDT 2012
Thanks Scott. Does it mean that it is a bug if it returns a transient
NameID instead of nameIdentifier or an error?
For more information please see the log:
11:22:01.373 - DEBUG [edu.internet2.middleware.
shibboleth.idp.profile.AbstractSAMLProfileHandler:465] - Attempting to
select name identifier attribute for relying party '...' that requires
format 'urn:mace:shibboleth:1.0:nameIdentifier'
11:22:01.374 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:548]
- Filtering out potential name identifier attributes which do not support
one of the following formats: [urn:mace:shibboleth:1.0:nameIdentifier]
11:22:01.374 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:567]
- Retaining attribute transientId which may be encoded as a name identifier
of format urn:mace:shibboleth:1.0:nameIdentifier
11:22:01.374 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:672]
- Selecting attribute to be encoded as a name identifier by encoder of type
edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder
11:22:01.374 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:699]
- Selecting the first attribute that can be encoded in to a name identifier
11:22:01.374 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:483]
- Name identifier for relying party '...' will be built from attribute
'transientId'
11:22:01.374 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:864]
- Using attribute 'transientId' supporting NameID format
'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' to create the NameID
for relying party '...'
Yaowen
On Thu, Aug 2, 2012 at 7:09 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 8/1/12 9:10 PM, "Yaowen Tu" <yaowen.tu at gmail.com> wrote:
> >
> >In order to comply with the SAML2.0 standards, what should be replied
> >from IdP? OOTB Shib IdP will return a NameID with format of
> >urn:oasis:names:tc:SAML:2.0:nameid-format:transient.
>
>
> OOTB it should either return what you ask for, or an error, or there's a
> bug.
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120802/94c81cab/attachment.html
More information about the users
mailing list