Persistent Assertion/Subject/NameID from LDAP Attribute
Henry B. Hotz
hotz at jpl.nasa.gov
Thu Aug 16 15:40:21 EDT 2012
On Aug 15, 2012, at 12:54 PM, Cantor, Scott wrote:
> On 8/15/12 2:43 PM, "Henry B. Hotz" <hotz at jpl.nasa.gov> wrote:
>>> SPs that care generally want one format and should request that format in
>>> the message. Otherwise they generally don't care.
>> So it should be in the authentication request as opposed to the metadata?
> As a general rule, yes. You definitely have a better shot at interop that
Yeah, well I started this thread with an existing commercial service that doesn't do that. In other words the "you" in that statement is really "they". ;-)
>> Complexities to test here that I probably won't have time to try for a
>> long time. |-P
> I'm sure. Be aware that a NameID is not mandatory in an assertion. You
> might (or might not) be mistaking the IdP just not sending a NameID when
> there's no formats it can pick from with not behaving correctly. The only
> time it should explicitly return an error is if the format is in the
> AuthnRequest, because that's mandated behavior.
> -- Scott
Granted I only had one correctly spelled test case and I'm going from memory, but pretty sure it sent a transient subject ID when the SP metadata said to use an email ID. Also I only looked at log messages during the transaction, not during startup.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the users