Name ID in Subject and Name ID in AttributeValue
Nate Klingenstein
ndk at internet2.edu
Wed Jul 25 15:33:31 EDT 2012
Martin,
Shibboleth doesn't care one way or the other; just make sure you have
the proper AttributeDecoder in your AttributeMap for whichever is
selected. At the end of the mapping and filtering process, there's a
bundle of user data including the attributes and, if mapped, the NameID.
I can't speak to simpleSAMLphp's preferences, though. Many commercial
products and vendor implementations care deeply about what the Subject
of the assertion is, so I think it's best to humor other
implementations with the knowledge that Shibboleth is fine regardless.
Hope this helps,
Nate.
On Jul 25, 2012, at 19:24 , Martin B. Smith wrote:
> Hi all,
>
> I'm looking at the difference between sending a SAML2 Name
> Identifier (a persistent one) as part of the Subject in an assertion
> and/or as part of the AttributeStatement of an assertion.
>
> I don't have a sense as to whether it makes sense to send in both
> subject and attributestatement, or whether one should suffice?
>
> It seems like the Shibboleth service provider software is more
> likely to offer the persistent ID as an environment variable if I
> place it in an AttributeStatement. Though, it seems like
> simpleSAMLphp really wants to see the name identifier as part of an
> assertion's Subject.
>
> Thanks in advance,
> --
> Martin B. Smith
> smithmb at ufl.edu - (352) 273-1374
> CNS/Open Systems Group
> University of Florida
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list