Brewer, Edward L
lee.brewer at Vanderbilt.Edu
Tue Feb 26 13:32:52 EST 2013
I am attempting to create a new NameId to integrate with a vendor. I am currently using Shibboleth 2.3.6 IdP running under JBOSS 5 on Linux. The vendor wants for me to pass to them a NameId of username at vu where vu represents Vanderbilt University. I asked to make it username at vanderbilt.edu<mailto:username at vanderbilt.edu> but they want to shorten it to make it easier on mobile users.. since they have to type in the entire name for PIN administration. I followed the instructions in the wiki and created a new attribute
<resolver:AttributeDefinition id="concurid" xsi:type="Scoped" xmlns="urn:mace:shibboleth:2.0:resolver:ad" scope="vu" sourceAttributeID="uid" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:resolver="urn:mace:shibboleth:2.0:resolver"><resolver:Dependency ref="myLDAP" /><resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /><resolver:AttributeEncoder xsi:type="SAML2ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:22.214.171.124.4.1.59126.96.36.199.6" friendlyName="username" scopeType="inline" /></resolver:AttributeDefinition>
And I set it to release the attribute to the vendor in the attribute filter. Now in this present state I see this in the logs
BTW ( I also have another nameId present called transientId that is transient format)
12:19:01.215 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:573] - Removing attribute concurid, it can not be encoded in to a name identifier of an acceptable format
So the assertion is created with the TransientId instead. Now if I change the nameid-format to transient for concurid then the IdP chooses concurid but it has uses only username and no @vu.
Any help would be appreciated,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users