no NameID in an unsolicited SAML2 Response
Cantor, Scott
cantor.2 at osu.edu
Tue Sep 3 10:56:48 EDT 2013
On 9/3/13 10:32 AM, "Tom Scavo" <trscavo at gmail.com> wrote:
>In my case, I'm doing unsolicited SSO and there are no
><md:NameIDFormat> elements in metadata so the IdP is choosing to not
>send a NameID.
That's only the case if there's nothing released that it can encode into
one.
> That's okay, I control the IdP, but an IdP that
>supports SLO should send a NameID, right?
It has to, yes.
> I mean, I suppose it could choose not to send a NameID in that case but
>that seems to contradict
>its claim that it supports SLO.
The claim that you support something doesn't necessarily imply that every
transaction will allow for that to work. If you don't send a NameID, then
there's no way for an SP to make use of the profile.
-- Scott
More information about the users
mailing list