NameId question

Brewer, Edward L lee.brewer at Vanderbilt.Edu
Wed Feb 27 09:08:14 EST 2013 

Peter,

Good question and sorry for the delay.  Ultimately the choice of transient is not the best and I am working on how to classify the name-id format.  By definition this nameID format is transparent, permanent, targeted, non-revocable, and non-reassignable.  Using the IdPNameIdentifier wiki page, I decided that this nameID should be created using the custom configuration since both transient and persistent were not appropriate.  Following those instructions and the additional information that I got from Scott I was able to create a custom nameID but I still struggled with name-id format values.  Using the document, Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0 OASIS Standard, 15 March 2005 section 8.3, I decided that the only two nameID formats that were usable were transient and unspecified.  I thought maybe I could use email or Kerberos but I believe that  in the case of realm or address that the value of "@vu" would not be accepted.  Therefore on my first test I used unspecified and it failed.   The reason it did not work was that the IdP instead was choosing another nameID, transientID (which I believe was originally configured in the attribute resolver file and the nameID I am using with all others).  I then attempted to modify the relying party entry with nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" .  This still did not make the IdP choose my new nameID.  So, I then chose transient and it worked.   I tested my configuration with the vendor and was able to provide the necessary information in the assertion to make them happy.  

So, I have a working solution but not a clean one.  

What do you think I should do?
Lee Brewer


-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Peter Schober
Sent: Wednesday, February 27, 2013 2:06 AM
To: users at shibboleth.net
Subject: Re: NameId question

* Brewer, Edward L <lee.brewer at Vanderbilt.Edu> [2013-02-26 21:00]:
> resolver:Dependency ref="concurid" /><resolver:AttributeEncoder 
> xsi:type="SAML2StringNameID"
> xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
> nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />

But why the transient nameFormat? uid at vu is not reall transient, -peter
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list