Shib V3 upgrade breaks NameIdentifier Format and NameQualifier
Kong, Howard
Howard.Kong at uth.tmc.edu
Thu Apr 28 11:33:18 EDT 2016
There is a SP which expects a particular nameIdentifier format and nameQualifier as shown below failed after V3 upgrade.
Attribute-Resolver.xml:
<resolver:AttributeDefinition id="MYtransientId" xsi:type="TransientId" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
<resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" nameQualifier="MY_SUBJECT"/>
<resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" nameQualifier="MY_SUBJECT" />
</resolver:AttributeDefinition>
SAML response from IDP after anthentication:
*********** The IDP response from V2 ***************
<saml1:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="MY_SUBJECT">**********************</saml1:NameIdentifier>
*********** The IDP response from V3 ***************
<saml1:NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier"
NameQualifier="https://myexample.org/idp/shibboleth">**********************</saml1:NameIdentifier>
My question is how we should configure in V3 so the IDP response will be the same as in V2 for NameIdentifier.
Thanks,
Howard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160428/599cf20a/attachment.html>
More information about the users
mailing list