NameID from Subject
Andy Bennett
andyjpb at knodium.com
Tue Aug 5 10:06:40 EDT 2014
Hi,
>> If I copy the NameId:, entityID: and Protocol: information from
>> transaction.log from a "recent" transaction and feed it to resolvertest
>> then I get some attributes back.
>
> Yes, it's doing an attribute query.
Right... but how is it doing it? The NameID there in the log doesn't
match the NameID I get anywhere else??
>> If I feed in anything I get from the
>> persistent-id or transient-id fields in the web server then it doesn't
>> work.
>
> I don't know what transient-id field you're talking about. There is no
> default mapping rule for a transient NameID by that name. If you created
> one, then it would work as above.
See other mail where I clarify s/transient-id/targeted-id/ . It was a typo.
> Persistent IDs, when generated by a hash, are not in general reversible by
> the IdP and are not usable for making a query. In any case, the SP is not
> expected to be able to make arbitrary queries to an IdP. That's up to the
> privacy policy of the IdP and is reflected in part by what they make
> available in the assertion's subject.
>
>> The value in NameID: in the logs never appears in any of the web
>> server variables but, for a given user, I always get the same value in
>> persistent-id or transient-id.
>
> The only time a persistent-id isn't the NameID is in a SAML 1 assertion
> when it's coming from the eduPersonTargetedID attribute. In any case, it's
> not usable for making a query and whatever you're trying to do, you can't
> do it.
Right... so where is this NameID in the logs that is reversible coming
from? ...and how do I get it in the web server variables as well?
Regards,
@ndy
--
andyjpb at knodium.com
http://www.knodium.com/
More information about the users
mailing list