Persistent Assertion/Subject/NameID from LDAP Attribute
Cantor, Scott
cantor.2 at osu.edu
Wed Aug 15 15:54:21 EDT 2012
On 8/15/12 2:43 PM, "Henry B. Hotz" <hotz at jpl.nasa.gov> wrote:
>>SPs that care generally want one format and should request that format in
>> the message. Otherwise they generally don't care.
>
>So it should be in the authentication request as opposed to the metadata?
As a general rule, yes. You definitely have a better shot at interop that
way.
>Complexities to test here that I probably won't have time to try for a
>long time. |-P
I'm sure. Be aware that a NameID is not mandatory in an assertion. You
might (or might not) be mistaking the IdP just not sending a NameID when
there's no formats it can pick from with not behaving correctly. The only
time it should explicitly return an error is if the format is in the
AuthnRequest, because that's mandated behavior.
-- Scott
More information about the users
mailing list