Persistent Assertion/Subject/NameID from LDAP Attribute

Henry B. Hotz hotz at
Thu Aug 9 03:34:15 EDT 2012

On the bottom, I've got an attribute (LDAP "mail") which is getting put in the IDP response just fine.  I'm having trouble connecting the dots up to get it used as a persistent NameID for the Assertion. (Preferably only for one SP.)

While the IdPPersistentNameIdentifier page doesn't say so, I assume I should put the "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" as a supported <NameIDFormat> in both the SP and IDP metadata.

What is it that tells the IDP to use a specific attribute as the NameID for the assertion?  Is it putting an extra <resolver:AttributeEncoder> into the <resolver:AttributeDefinition>?
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the users mailing list