Persistent Assertion/Subject/NameID from LDAP Attribute

Henry B. Hotz hotz at
Fri Aug 10 12:19:25 EDT 2012

On Aug 10, 2012, at 7:37 AM, Cantor, Scott wrote:

> On 8/10/12 12:05 AM, "Henry B. Hotz" <hotz at> wrote:
>> If that's what's wanted by a specific SP, shouldn't the <NameIDFormat>
>> metadata make it unnecessary to to put a preference in the RelyingParty?
> I believe the IdP does look at that, yes. No other implementations of SAML
> will, FWIW.

I had a spelling error in that metadata field, and the IDP didn't complain during processing.  I'm reasonably sure I fixed that and tried once before going to the RelyingParty fix.  The debug logs showed "transient" and email as candidate subject names and it always chose transient.

>> Just asking.  Everything's working now, but I need to clean things up a
>> bit.
> The preference rule in relying-party.xml was added to make it cleaner to
> unilaterally control the format used without having to use odd-looking
> filter policies. Normally you don't control the SP's metadata so
> manipulating that isn't the approach generally used.

I'm thinking the SP should be able to say what it supports and not get sent something that it doesn't. I'm *not* saying the rp preference shouldn't be there.  I agree that an IDP shouldn't be coerced into doing something counter to policy by an external input.

If the intersection of the two NameIDFormat spec's is null, the request should probably fail.  Consider that a feature request, not a bug report.  ;-)

> -- Scott
> --
> To unsubscribe from this list send an email to users-unsubscribe at

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the users mailing list