Persistent Assertion/Subject/NameID from LDAP Attribute

Henry B. Hotz hotz at
Thu Aug 16 15:40:21 EDT 2012

On Aug 15, 2012, at 12:54 PM, Cantor, Scott wrote:

> On 8/15/12 2:43 PM, "Henry B. Hotz" <hotz at> wrote:
>>> SPs that care generally want one format and should request that format in
>>> the message. Otherwise they generally don't care.
>> So it should be in the authentication request as opposed to the metadata?
> As a general rule, yes. You definitely have a better shot at interop that
> way.

Yeah, well I started this thread with an existing commercial service that doesn't do that.  In other words the "you" in that statement is really "they".  ;-)

>> Complexities to test here that I probably won't have time to try for a
>> long time.  |-P
> I'm sure. Be aware that a NameID is not mandatory in an assertion. You
> might (or might not) be mistaking the IdP just not sending a NameID when
> there's no formats it can pick from with not behaving correctly. The only
> time it should explicitly return an error is if the format is in the
> AuthnRequest, because that's mandated behavior.
> -- Scott

Granted I only had one correctly spelled test case and I'm going from memory, but pretty sure it sent a transient subject ID when the SP metadata said to use an email ID.  Also I only looked at log messages during the transaction, not during startup.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the users mailing list