Idp 3.x persistentId / shibsp-plugin-AttributeQuery-Handler
Peter Schober
peter.schober at univie.ac.at
Fri Apr 17 10:12:43 EDT 2015
* Cantor, Scott <cantor.2 at osu.edu> [2015-03-31 16:23]:
> After all of that, you still need to manipulate metadata or
> configuration to get the "persistent" NameID Format used in the
> transaction. The simplest way is to embed the appropriate
> NameIDFormat element in the SP's metadata or configure it to request
> the right Format in its AuthnRequest.
You can't really do the latter unless you're certain all IDPs you'll
interoperate with are able to send that the persistent NameID in the
Subject of the Assertion, as compared to sending a transient NameID in
the Subject as usual and putting the persistent NameID into an
Attribute (eduPersonTargetedID commonly).
At least I've found the only way to interop is not to request a
specific format, even if you always want a persistent NameID to be
returned one way or the other.
The SP doesn't care about any of this, of course, with the exception
that IDPs sending the persistent NameID in both places will end up
with two identical values in their persistentId environment variable
in their Shib SP. So you'd need to de-duplicate those before use in
your application.
-peter
More information about the users
mailing list