Persistent Assertion/Subject/NameID from LDAP Attribute
cantor.2 at osu.edu
Thu Aug 9 11:01:01 EDT 2012
On 8/9/12 3:34 AM, "Henry B. Hotz" <hotz at jpl.nasa.gov> wrote:
>On the bottom, I've got an attribute (LDAP "mail") which is getting put
>in the IDP response just fine. I'm having trouble connecting the dots up
>to get it used as a persistent NameID for the Assertion. (Preferably only
>for one SP.)
persistent has a very specific meaning in SAML, it doesn't apply to just
any type of name.
>While the IdPPersistentNameIdentifier page doesn't say so, I assume I
>should put the "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" as
>a supported <NameIDFormat> in both the SP and IDP metadata.
Not unless you're actually using that format.
>What is it that tells the IDP to use a specific attribute as the NameID
>for the assertion? Is it putting an extra <resolver:AttributeEncoder>
>into the <resolver:AttributeDefinition>?
In part. There's also a precedence setting in the relying party file that
tells it what formats to "prefer" for a given SP or set of SPs, and that
plus the filter policy results in a set of candidate NameID possibilities
that gets randomly picked from.
More information about the users