Persistent Assertion/Subject/NameID from LDAP Attribute

Cantor, Scott cantor.2 at
Wed Aug 15 15:54:21 EDT 2012

On 8/15/12 2:43 PM, "Henry B. Hotz" <hotz at> wrote:

>>SPs that care generally want one format and should request that format in
>> the message. Otherwise they generally don't care.
>So it should be in the authentication request as opposed to the metadata?

As a general rule, yes. You definitely have a better shot at interop that

>Complexities to test here that I probably won't have time to try for a
>long time.  |-P

I'm sure. Be aware that a NameID is not mandatory in an assertion. You
might (or might not) be mistaking the IdP just not sending a NameID when
there's no formats it can pick from with not behaving correctly. The only
time it should explicitly return an error is if the format is in the
AuthnRequest, because that's mandated behavior.

-- Scott

More information about the users mailing list