where is transientId in SAML assertion
Brent Putman
putmanb at georgetown.edu
Wed Sep 24 20:20:35 EDT 2014
On 9/24/14 7:22 PM, Kevin Foote wrote:
> On Sep 24, 2014, at 2:53 PM, David Bantz <dabantz at alaska.edu> wrote:
>
>> A different vendor is unable to properly interpret the SAML assertion from my IdP,
>> and I haven’t been able to fathom why not, but notice that despite parallel
>> debug log entries that transientId will be used to construct NameID, a corresponding
>> NameID is not in the Subject. Instead there’s an EncryptedID.
> David,
>
> Check your relying-party.xml for the ProfileConfiguration of the profile you are using, presumably SAML2SSOProfile
> Is this set? encryptNameIds=“conditional”
> And what is their end asking for?
Right, David's encryptNameIds param must be set to "conditional" or
"always". If the RP doesn't support encrypted NameID's (few probably
do), then you want to set that to "never". For the record, the
out-of-the-box default for all profiles is encryptNameIds="never".
And, based on your log info, you are actually sending a transient ID,
it's just encrypted. Those are orthogonal concepts.
More information about the users
mailing list