no NameID in an unsolicited SAML2 Response

Cantor, Scott cantor.2 at osu.edu
Tue Sep 3 10:56:48 EDT 2013


On 9/3/13 10:32 AM, "Tom Scavo" <trscavo at gmail.com> wrote:

>In my case, I'm doing unsolicited SSO and there are no
><md:NameIDFormat> elements in metadata so the IdP is choosing to not
>send a NameID.

That's only the case if there's nothing released that it can encode into
one.

> That's okay, I control the IdP, but an IdP that
>supports SLO should send a NameID, right?

It has to, yes.

> I mean, I suppose it could choose not to send a NameID in that case but
>that seems to contradict
>its claim that it supports SLO.

The claim that you support something doesn't necessarily imply that every
transaction will allow for that to work. If you don't send a NameID, then
there's no way for an SP to make use of the profile.

-- Scott




More information about the users mailing list