Persistent Assertion/Subject/NameID from LDAP Attribute

Cantor, Scott cantor.2 at
Thu Aug 9 11:01:01 EDT 2012

On 8/9/12 3:34 AM, "Henry B. Hotz" <hotz at> wrote:

>On the bottom, I've got an attribute (LDAP "mail") which is getting put
>in the IDP response just fine.  I'm having trouble connecting the dots up
>to get it used as a persistent NameID for the Assertion. (Preferably only
>for one SP.)

persistent has a very specific meaning in SAML, it doesn't apply to just
any type of name.

>While the IdPPersistentNameIdentifier page doesn't say so, I assume I
>should put the "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" as
>a supported <NameIDFormat> in both the SP and IDP metadata.

Not unless you're actually using that format.

>What is it that tells the IDP to use a specific attribute as the NameID
>for the assertion?  Is it putting an extra <resolver:AttributeEncoder>
>into the <resolver:AttributeDefinition>?

In part. There's also a precedence setting in the relying party file that
tells it what formats to "prefer" for a given SP or set of SPs, and that
plus the filter policy results in a set of candidate NameID possibilities
that gets randomly picked from.

-- Scott

More information about the users mailing list