IDP : Dynamically choose ldap instance from principal

Peter Schober peter.schober at univie.ac.at
Wed Nov 6 12:11:21 EST 2013


* Cantor, Scott <cantor.2 at osu.edu> [2013-11-06 17:50]:
> On 11/6/13, 11:48 AM, "Cédric Couralet" <cedric.couralet at gmail.com> wrote:
> 
> >Yes that is what I implied when I said that it must be an error on my
> >part. I had commented the TransientId part in attribute-resolver.xml
> >whithout noticing it :)
> 
> That's a mistake on the SP's part, there's no reason to ask for transient
> IDs specifically.

I think MS-ADFS as SAML IDP only sends a transient NameID in the
response (if configured to support that in the first place) when the
SP asks for it. Not asking leads to no NameID being generated, at
least from seeing reports on the SimpleSAMLphp list.
So there might be reasons for an SP to do that I wouldn't necessarily
call "mistakes".
-peter


More information about the users mailing list