configuring idp to release the "remote_user" as nameid
Peter Schober
peter.schober at univie.ac.at
Tue Jun 25 11:13:57 EDT 2013
* David Mansfield <shibboleth at dm.cobite.com> [2013-06-25 17:08]:
> Well, you definitely make a very good case for changing my ways ;-). My
> only other experience with SAML is running a Shibboleth SP where the
> partner is sending the kerberos principal as a
> urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, so I thought this
> was standard practice.
That's different because "unspecified" doesn't make any promises about
the NameID format, and so by defintion a kerberos principal name
fulfills the requirements for an "unspecified" NameID (as would any
other string, random or not).
In your case you're making claims about an identifier by labelling it
"persistent", when it fact it's not, according to the defintion of a
persistent NameID.
> I'll look into a computedId solution, and send the kerberos
> principal as a regular attribute. On the SP side I can map this
> using the attribute map however I want anyway.
You could also just ignore the custom NameID, stick with default
(transient) and just go with attributes.
Will work just as well as /generating/ "persistent" (see the
contradiction in terms?) identifiers from changable values (i.e., he
kerberos principal name), without the configuration overhead.
-peter
More information about the users
mailing list