NameId question

Cantor, Scott cantor.2 at
Tue Feb 26 13:50:42 EST 2013

On 2/26/13 1:32 PM, "Brewer, Edward L" <lee.brewer at Vanderbilt.Edu> wrote:

>So the assertion is created with the TransientId instead.

Well, for starters, you have to get it to want to pick the bogus format
instead. That's covered in the wiki under NameID format selection, and
involves multiple inputs, but you can specify it now in the RelyingParty
config for that SP. Another way is to manipulate the SP's metadata.

>  Now if I change the nameid-format to transient for concurid then the
>IdP chooses concurid but it has uses only username and no @vu.

I think that will be true either way because the encoder you used is for
"string" values, and the Scoped attribute has a more complex structure. So
it's chopping the scope. If there's a scoped variant, you'd have to use
that, but I don't think there is. You probably will need to construct a
variant of the attribute definition for use as a NameID that is not
scoped, and has the necessary data embedded in the string value.

The Template plugin probably would work well for that.

-- Scott

More information about the users mailing list