AuthnRequest question

[Doan, Tommy]

Right, I was just asking where the NameIDPolicy Format element in the request comes from. Now I understand it's strictly a configuration item on this ADFS SP side, and can't be manipulated by the SP metadata I have for them. That makes sense. The odd thing is that there are 3 Name ID formats specified in their metadata, and none of them match the one sent in their request. 

<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>

In the end, this sounds like an element of the request that the IdP will just ignore, so I will too. Thanks Scott. 

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Friday, March 4, 2016 6:57 PM
To: Shib Users <users at shibboleth.net>
Subject: RE: AuthnRequest question

> I have a very fundamental question about how SAML Requests are 
> constructed. Can someone refer me to some documentation?

Constructed by what? That's an implementation issue. I don't think you're asking how they're encoded or transmitted or what the contents mean, but that's in the standard.

> When I look at a request with Fiddler, I see the following 
> AuthnRequest. The thing I really don't understand is where the 
> elements of the request are coming from.

>From whatever SP implementation is creating it.

> For example, where does the NameIDPolicy Format come from?

>From somebody that doesn't understand SAML. Read it out loud:

"I request a NameID with a Format that is unspecified."

Make any sense? No. And we ignore it.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net