How to ask for Shib IdP returning a urn:mace:shibboleth:1.0:nameIdentifier
Kevin P. Foote
kpfoote at iup.edu
Tue Jul 31 15:05:49 EDT 2012
You can encode different attributes (data) you have access to into nameIdentifiers and then
send them out to the various RPs that require or request differing NameID data..
https://wiki.shibboleth.net/confluence/display/SHIB2/NameIDAttributes
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPCustomNameIdentifier
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPNameIdentifier
The IdPs default OOB config is to send the transientId as the NameID .. as
you have found.
------
thanks
kevin.foote
On Tue, 31 Jul 2012, Yaowen Tu wrote:
-> Hi,
->
-> I have installed a sample Shib IdP, it is working in general. I am just
-> trying to explore a little more.
->
-> >From the IdP metadata, I see this:
-> <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
->
->
-> So I assume, if an SP send this AuthnRequest, I am supposed to get an
-> nameIdentifier from Assertion:
->
-> <saml2p:AuthnRequest AssertionConsumerServiceURL="..." Destination="
-> https://localhost/idp/profile/SAML2/Redirect/SSO" ID="
-> _a90ed2b44c1d25860c411e0ab27a9edd"
-> IssueInstant="2012-07-31T18:21:28.759Z"
-> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="
-> 2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
-> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
-> .....
-> </saml2:Issuer>
-> <saml2p:NameIDPolicy AllowCreate="true" Format="
-> urn:mace:shibboleth:1.0:nameIdentifier"/>
-> </saml2p:AuthnRequest>
->
->
-> In reality, from Idp-process.log, I see this information:
->
->
->
-> 11:22:01.373 - DEBUG
-> [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:465]
-> - Attempting to select name identifier attribute for relying party '...'
-> that requires format 'urn:mace:shibboleth:1.0:nameIdentifier'
-> 11:22:01.374 - DEBUG
-> [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:548]
-> - Filtering out potential name identifier attributes which do not support
-> one of the following formats: [urn:mace:shibboleth:1.0:nameIdentifier]
-> 11:22:01.374 - DEBUG
-> [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:567]
-> - Retaining attribute transientId which may be encoded as a name identifier
-> of format urn:mace:shibboleth:1.0:nameIdentifier
-> 11:22:01.374 - DEBUG
-> [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:672]
-> - Selecting attribute to be encoded as a name identifier by encoder of type
-> edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder
-> 11:22:01.374 - DEBUG
-> [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:699]
-> - Selecting the first attribute that can be encoded in to a name identifier
-> 11:22:01.374 - DEBUG
-> [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:483]
-> - Name identifier for relying party '...' will be built from attribute
-> 'transientId'
-> 11:22:01.374 - DEBUG
-> [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:864]
-> - Using attribute 'transientId' supporting NameID format
-> 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' to create the NameID
-> for relying party '...'
->
-> And in the Assertion, it is actually transient NameID.
->
-> Can you tell me why? Do I need to make any other configuration to be able
-> to get nameIdentifier?
->
->
-> Best,
-> Yaowen
->
More information about the users
mailing list