NameID from Subject

Andy Bennett andyjpb at knodium.com
Tue Aug 5 10:06:40 EDT 2014


Hi,

>> If I copy the NameId:, entityID: and Protocol: information from
>> transaction.log from a "recent" transaction and feed it to resolvertest
>> then I get some attributes back.
> 
> Yes, it's doing an attribute query.

Right... but how is it doing it? The NameID there in the log doesn't
match the NameID I get anywhere else??


>> If I feed in anything I get from the
>> persistent-id or transient-id fields in the web server then it doesn't
>> work.
> 
> I don't know what transient-id field you're talking about. There is no
> default mapping rule for a transient NameID by that name. If you created
> one, then it would work as above.

See other mail where I clarify s/transient-id/targeted-id/ . It was a typo.


> Persistent IDs, when generated by a hash, are not in general reversible by
> the IdP and are not usable for making a query. In any case, the SP is not
> expected to be able to make arbitrary queries to an IdP. That's up to the
> privacy policy of the IdP and is reflected in part by what they make
> available in the assertion's subject.
> 
>> The value in NameID: in the logs never appears in any of the web
>> server variables but, for a given user, I always get the same value in
>> persistent-id or transient-id.
> 
> The only time a persistent-id isn't the NameID is in a SAML 1 assertion
> when it's coming from the eduPersonTargetedID attribute. In any case, it's
> not usable for making a query and whatever you're trying to do, you can't
> do it.

Right... so where is this NameID in the logs that is reversible coming
from? ...and how do I get it in the web server variables as well?





Regards,
@ndy

-- 
andyjpb at knodium.com
http://www.knodium.com/



More information about the users mailing list