IdPv3 and generating persistent NameID
Cantor, Scott
cantor.2 at osu.edu
Fri May 1 13:56:30 EDT 2015
On 5/1/15, 1:41 PM, "Sara Hopkins" <sara.hopkins at ed.ac.uk> wrote:
>
>OK, so I'm trying to force the IdP to release the persistent ID by
>having this in the shibboleth.DefaultRelyingParty bean:
>
><bean parent="SAML2.SSO"
>p:nameIDFormatPrecedence="#{{'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'}}"
>/>
>
>I also tried this:
>
><bean parent="SAML2.SSO"
>p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
>/>
The latter is a shorthand for the former, but either should work.
>but I still just get a transient nameID.
I'd have to see a log or do some testing, but I would also check to see if anything is in the metadata.
>Is nameIDFormatPrecedence sufficient on its own to achieve this, or does
>it have to be specified by the SP as well (whether in metadata or by
>requesting a Format in a NameIDPolicy element)?
I think it's overridden by metadata, and I would always favor using metadata to do this because that's much clearer and less work, but it isn't necessary.
-- Scott
More information about the users
mailing list