Adding principal connector to IdPv3

Cantor, Scott cantor.2 at
Mon Apr 3 09:20:44 EDT 2017

> Full disclosure, I'm asking these questions for a third party engineer. They're
> trying to configure our v3 IdP to work with an appliance called Access
> Manager by federating the two services. The user hits Access Manager,
> which in turn talks to Shibboleth which performs the authentication and
> passes back to Access Manager (at least that's how I understand it).

None of that should require a PrincipalConnector or the V3 equivalent. Not for any standard scenario anyway.

> The engineer doing the install is working from documentation for version 2,
> and there isn't any updated docs for Access Manager for version 3. This has
> been raised with the supplier.

They should not be documenting Shibboleth at all, and that's why, they won't be able to maintain it. What are the SAML requirements?

> <!-- Principal Connectors -->
>  <PrincipalConnector xsi:type="Transient"
> xmlns="urn:mace:shibboleth:2.0:resolver:pc" id="saml2Persistent"
>         nameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-
> format:persistent" />

The Transient connector isn't designed to be used with any other formats, and it's also ignored in V3 anyway so whatever you managed to get loaded wouldn't do anything for you.


More information about the users mailing list