NameId question

Brewer, Edward L lee.brewer at Vanderbilt.Edu
Tue Feb 26 14:59:12 EST 2013 

Scott,

Thanks!   I was able to make it work doing the following

I created these two entries in the attribute resolver 

<resolver:AttributeDefinition xsi:type="Template" xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="concurid" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:resolver="urn:mace:shibboleth:2.0:resolver"><resolver:Dependency ref="myLDAP" /><Template>               ${uid}@vu          </Template><SourceAttribute>uid</SourceAttribute></resolver:AttributeDefinition>

<resolver:AttributeDefinition id="concurnameid" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="concurid" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:resolver="urn:mace:shibboleth:2.0:resolver"><resolver:Dependency ref="myLDAP" /><resolver:Dependency ref="concurid" /><resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" /><resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="username" /></resolver:AttributeDefinition>

It now releases the nameID as username at vu

Thanks,
Lee Brewer


-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Tuesday, February 26, 2013 12:51 PM
To: Shib Users
Subject: Re: NameId question

On 2/26/13 1:32 PM, "Brewer, Edward L" <lee.brewer at Vanderbilt.Edu> wrote:

>So the assertion is created with the TransientId instead.

Well, for starters, you have to get it to want to pick the bogus format instead. That's covered in the wiki under NameID format selection, and involves multiple inputs, but you can specify it now in the RelyingParty config for that SP. Another way is to manipulate the SP's metadata.

>  Now if I change the nameid-format to transient for concurid then the 
>IdP chooses concurid but it has uses only username and no @vu.

I think that will be true either way because the encoder you used is for "string" values, and the Scoped attribute has a more complex structure. So it's chopping the scope. If there's a scoped variant, you'd have to use that, but I don't think there is. You probably will need to construct a variant of the attribute definition for use as a NameID that is not scoped, and has the necessary data embedded in the string value.

The Template plugin probably would work well for that.

-- Scott


--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list