Name Identifier attribute release

Cantor, Scott cantor.2 at osu.edu
Wed Aug 19 10:36:22 EDT 2015


On 8/19/15, 9:36 AM, "users on behalf of Michael Dahlberg" <users-bounces at shibboleth.net on behalf of olgamirth at gmail.com> wrote:



>            nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:persistent" />

That's for opaque, pairwise identifiers only, so you should not be using it here.

>The cn attribute is one that is released by the data connector referenced in myLDAP and contains the username of the authenticated user

If you're populating the subject with the value of an arbitrary attribute, and no existing Format applies, you should use the URI of the SAML Attribute Name as the NameID Format.

>It looks as if the NameID value is the transientId, not the cn.  I have no idea why the transientId is returned rather than the cn from the configurations listed above.

Releasing an attribute is necessary, but not sufficient, you still have to address which Format is actually selected. The wiki documents the NameID Format selection process, and absent any other input, it's basically random. If you want to use a Format with a particular SP, you either put it in the SP's metadata in a NameIDFormat element, or use the RelyingParty nameIDFormatPrecedence setting.

-- Scott



More information about the users mailing list