The definition of principal

[Eric Goodman]

>OK, Their MD says persistent:     <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>

To follow up on Scott’s point here, “persistent” also requires the value to be opaque and targeted, not just unique and immutable. Very few vendors I’ve dealt with are actually interested in opaque name IDs – or at least in practice they aren’t. Typically they want values that other systems know (ePPN or UID) and not actual persistent values (like ePTID). [Technically, the vendor is probably willing to accept ePTID, but only if some other batch feed pre-populates user profiles with the ePTID. That is, if it’s opaque on the wire but not opaque to the vendor.]

When dealing with vendors who insist on receiving identifiers in the NameID portion of the assertion, we’ve taken to using the URN of the attribute that’s being populated as the NameID format. That is, we use the URN that the value would have had if we were able to pass the value as an attribute.

It’s extremely one-off, but as Scott notes, the pre-defined NameID formats match the identifiers we’re using, so neither is it correct to use any existing values, so we’re doomed to dealing with things one-off with such vendors anyway. At least using the URN lets *us* easily see what the custom value semantics are, and we can use it consistently across vendors.

--- Eric

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140926/7d5df292/attachment-0001.html