Name ID in Subject and Name ID in AttributeValue

Nate Klingenstein ndk at internet2.edu
Wed Jul 25 15:33:31 EDT 2012


Martin,

Shibboleth doesn't care one way or the other; just make sure you have  
the proper AttributeDecoder in your AttributeMap for whichever is  
selected.  At the end of the mapping and filtering process, there's a  
bundle of user data including the attributes and, if mapped, the NameID.

I can't speak to simpleSAMLphp's preferences, though.  Many commercial  
products and vendor implementations care deeply about what the Subject  
of the assertion is, so I think it's best to humor other  
implementations with the knowledge that Shibboleth is fine regardless.

Hope this helps,
Nate.

On Jul 25, 2012, at 19:24 , Martin B. Smith wrote:

> Hi all,
>
> I'm looking at the difference between sending a SAML2 Name  
> Identifier (a persistent one) as part of the Subject in an assertion  
> and/or as part of the AttributeStatement of an assertion.
>
> I don't have a sense as to whether it makes sense to send in both  
> subject and attributestatement, or whether one should suffice?
>
> It seems like the Shibboleth service provider software is more  
> likely to offer the persistent ID as an environment variable if I  
> place it in an AttributeStatement. Though, it seems like  
> simpleSAMLphp really wants to see the name identifier as part of an  
> assertion's Subject.
>
> Thanks in advance,
> -- 
> Martin B. Smith
> smithmb at ufl.edu - (352) 273-1374
> CNS/Open Systems Group
> University of Florida
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net



More information about the users mailing list