The definition of principal

Cantor, Scott cantor.2 at
Fri Sep 26 12:18:35 EDT 2014

On 9/26/14, 12:13 PM, "Eric Goodman" <Eric.Goodman at> wrote:

>When dealing with vendors who insist on receiving identifiers in the
>NameID portion of the assertion, we¹ve taken to using the URN of the
>attribute that¹s being populated as the NameID format. That is, we use
>the URN that the value would have had if we were able to pass the value
>as an attribute.

That's the profile I defined to address that use case. Note, Mike's the
vendor here, the SP. He's asking about an IdP that apparently claims to
want to do this.

>It¹s extremely one-off, but as Scott notes, the pre-defined NameID
>formats match the identifiers we¹re using, so neither is it correct to
>use any existing values, so we¹re doomed to dealing with things one-off
>with such vendors anyway. At least using the URN lets *us* easily see
>what the custom value semantics are, and we can use it consistently
>across vendors.

It's not a one-off in that sense, you're following a profile, clearly
identifying the format with a standard value that has general
applicability, and not lying about the data.

The one-off aspect is that every vendor probably wants a different one.

-- Scott

More information about the users mailing list