Shib V3 upgrade breaks NameIdentifier Format and NameQualifier
Cantor, Scott
cantor.2 at osu.edu
Thu Apr 28 11:53:46 EDT 2016
> Attribute-Resolver.xml:
>
> <resolver:AttributeDefinition id="MYtransientId" xsi:type="TransientId"
> xmlns="urn:mace:shibboleth:2.0:resolver:ad">
>
> <resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier"
> xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
> nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
> nameQualifier="MY_SUBJECT"/>
>
> <resolver:AttributeEncoder xsi:type="SAML2StringNameID"
> xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
> nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
> nameQualifier="MY_SUBJECT" />
>
> </resolver:AttributeDefinition>
That is absolutely incorrect. A transient ID is a generated value and cannot be turned into some other kind of NameID. In addition, the V3 code handles transient generation in the new layer that handles NameID generation outside the resolver, and so the existing TransientId attribute definition is null and void. The log should be indicating that it's not used any more.
So you cannot do that. You need to do what you should have done originally, create a separate AttributeDefinition for the NameID you want to generate.
Alternatively, you could choose to configure the custom NameID in the V3 manner as documented in the wiki, but either will work.
-- Scott
More information about the users
mailing list