SP-specific failure to generate 'good' SAML assertion

Peter Schober peter.schober at univie.ac.at
Wed Nov 13 04:28:40 EST 2013


* David Bantz <dabantz at alaska.edu> [2013-11-13 01:08]:
> And while I remembered that we released transientId to anyone, upon
> closer examination I see that portion of the release policy was
> commented out as part of the attempt to integrate with GAE.

Rules are probably easiest to understand if you (a) leave the
transientId default filter rule (release it to all SPs) and (b) add a
DenyValueRule for transientId for all those SPs for which you've added
the release of a different NameID (such as email for GAFYD).
That should prevent unwanted or seemingl yunrelated changes in NameID
processing.
-peter


More information about the users mailing list