Persistent Assertion/Subject/NameID from LDAP Attribute

Henry B. Hotz hotz at
Wed Aug 15 14:43:53 EDT 2012

On Aug 10, 2012, at 9:23 AM, Cantor, Scott wrote:

> On 8/10/12 12:19 PM, "Henry B. Hotz" <hotz at> wrote:
>> I'm thinking the SP should be able to say what it supports and not get
>> sent something that it doesn't. I'm *not* saying the rp preference
>> shouldn't be there.  I agree that an IDP shouldn't be coerced into doing
>> something counter to policy by an external input.
> SPs that care generally want one format and should request that format in
> the message. Otherwise they generally don't care.

So it should be in the authentication request as opposed to the metadata?

>> If the intersection of the two NameIDFormat spec's is null, the request
>> should probably fail.  Consider that a feature request, not a bug report.
>> ;-)
> As far as I know that's how it works.

Complexities to test here that I probably won't have time to try for a long time.  |-P
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the users mailing list