nameID selection in v2 legacy mode
morgan at orst.edu
Mon Dec 28 19:48:44 EST 2015
On Tue, 29 Dec 2015, Cantor, Scott wrote:
> On 12/28/15, 6:11 PM, "users on behalf of Andrew Morgan"
> <users-bounces at shibboleth.net on behalf of morgan at orst.edu> wrote:
>> When Xfinity identified the problem with their SP, they suggested we send
>> a persistent NameID containing the EPPN. We do that for a couple other
>> services, so I tried to implement that in the same way.
> "Persistent" would mean a pairwise, opaque value, you would never use
> that format with something like EPPN unless you were very deliberately
> choosing to never support a targeted ID. Never, ever, ever use a single
> format to mean different things for different SPs. That is total
> madness. Push back, scream, kick, bite, but never do that.
Umm, I won't tell you how many vendors we did this for! :)
What NameID format would be appropriate for EPPN?
>> I don't need clusterable IDs because we do not support artifacts or
>> attribute query. How do I switch back to the old transientID format? Is
>> it as simple as setting:
>> idp.transientId.generator = shibboleth.StoredTransientIdGenerator
> But they have a bug. I'll take the blame for the fact that "transient"
> has too few constraints on it in SAML (length, charset) but not allowing
> 256 bytes and any legal XML character is pretty much a non-starter for
> any SP.
Yeah, the definitely have a bug. Supposedly they are upgrading to a new
OpenAM on January 4th to fix the NameID processing.
>> I don't see where I can set the Storage Service for it (in-memory would be
> It's not exposed at the moment, at least without just outright
> overriding a system bean.
What Storage Service does it use then? I'm running it now just fine, so I
assume it uses some default in-memory storage.
>> Should I remove all of my transientID handling in attribute-filter.xml?
> I don't think there's anyway for those rules to affect anything now, but
> I would have to think about it. You'd have to have the new transient ID
> generator plugin disabled I think.
Okay. Certainly when I was actively trying to block the transientID, it
was unsuccessful. Maybe I'll play around on my DEV instance to see if
there is any effect when I remove the blocks in my existing rules.
More information about the users