Persistent Assertion/Subject/NameID from LDAP Attribute
trscavo at gmail.com
Thu Aug 9 08:49:07 EDT 2012
On Thu, Aug 9, 2012 at 3:34 AM, Henry B. Hotz <hotz at jpl.nasa.gov> wrote:
> On the bottom, I've got an attribute (LDAP "mail") which is getting put in the IDP response just fine. I'm having trouble connecting the dots up to get it used as a persistent NameID for the Assertion. (Preferably only for one SP.)
> While the IdPPersistentNameIdentifier page doesn't say so, I assume I should put the "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" as a supported <NameIDFormat> in both the SP and IDP metadata.
That is definitely optional.
> What is it that tells the IDP to use a specific attribute as the NameID for the assertion? Is it putting an extra <resolver:AttributeEncoder> into the <resolver:AttributeDefinition>?
In the case of the SAML V2.0 Persistent NameID, you don't. That NameID
has a very specific format (you can read about it in the SAML spec)
but it looks nothing like an e-mail address. If you want to have the
latter as a NameID, use:
which is (obviously) pre-V2.0 but the format of choice for e-mail addresses.
More information about the users