The definition of principal

Cantor, Scott cantor.2 at
Fri Sep 26 11:27:23 EDT 2014

On 9/26/14, 10:54 AM, "Mike Flynn" <shibbolethlynda at> wrote:

>I am currently having a conversation with SuccessFactors / BizX with
>regard to their requiring that we use nameID as a unique, immutable ID
>token for the user.

The basic answer is, please identify the SAML standard format you want to
use. If they intend to use "persistent", then they aren't doing anything
but what Shibboleth already does by default. If they say something else,
they're either misusing another format, using unspecified, or very less
likely actually minting a custom format.

The problem is interoperability and having things "just work" with
well-defined semantics, and while higher ed/EduPerson isn't perfect, it's
about the only game in town. The rest of the market has no such standard
to follow so they just make it all up, or in most cases use unspecified.

>Is this appropriate?

Yes, but what's not appropriate is treating the field as some kind of
one-off agreement. If you use NameID, you should have a Format to point to
that has standard semantics.

>If appropriate, can I configure my SP (v2.3.1) to pass nameID to the
>protected resource in some fashion?

Yes, but what you can't do, for example, is map a given Format (particular
the aforementioned "unspecified") to a different header for each IdP. And
that's the risk, when you don't have clear definitions in play, you may
end up with two IdPs trying to use the same Format when they don't provide
the same guarantees around the data.

-- Scott

More information about the users mailing list