Multiple Name ID's in IdP 2.x for Google Apps
Cantor, Scott
cantor.2 at osu.edu
Mon Aug 24 17:17:04 EDT 2015
On 8/24/15, 5:06 PM, "users on behalf of Leung, Warren" <users-bounces at shibboleth.net on behalf of wleung at it.ucla.edu> wrote:
>I thought that the filtering would occur with the SP metadata thus using
>the urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified. Am I missing
>another configuration somewhere? I can get it to work when I add a
>DenyValueRule in the attribute filter for Google Apps.
Using "unspecified" is a bad thing, but if you want to do it, use the relying-party's nameIDFormatPrecedence setting to specify it, not the metadata. V3 ignores that value in the metadata so even if it works now, which I was very certain was not the case (but was apparently mistaken), it won't later.
(To understand why it's a bad thing, consider what happens if you have 2 SPs, and both actually require "unspecified", but they actually require different values in the NameID to link on.)
-- Scott
More information about the users
mailing list