Persistent NameID

Cantor, Scott cantor.2 at osu.edu
Thu Feb 16 17:47:27 EST 2017 

> I am definitely feeling much better about Shibboleth now after digging
> through the links that were provided last week.  I appreciate every who took
> the time to respond.  I have everything setup and working so far.  The final
> piece of the puzzle is the NameID.  Our SP requires a persistent NameID and
> it wants it in the format of an email address.

A persistent ID in SAML is a specific thing that cannot be an email address. That term has a very precise meaning.

Aside from that, there are few identifiers less persistent in the technical sense than email address, since they're frequently name-based and change often, but regardless of one's perspective on them, they are not "persistent" NameIDs.

SAML already has a Format constant defined for email addresses used as a NameID.

> Digging through the documentation on NameID’s it mentions using a
> database to store Persistent NameIDs.  It looks like there is quite a bit of
> things that can happen with these NameIDs.  I don’t want to create a hash or
> do anything like that, since the information is already sitting in Active
> Directory and is being returned then I don’t feel like a database is honestly
> required here. If it is that is fine and I can easily get this all setup based on the
> wiki.

Yes, which is why what you're talking about is not a persistent NameID.

> Do I need to setup a database server just to use Persistent NameID’s?

You don't need to set one up to use Persistent NameIDs, but you do not want to use them anyway.

> I see the shibboleth.SAML2AttributeSourcedGenerator in the saml-
> nameid.xml file.  It is using mail as the nameid there.  Can I just uncomment
> the shibboleth.SAML2PersistentGenerator and the above mentioned bean
> right below it and be good?

Basically.

> If I want to use mail for a persistent NameID what do I need to do in the
> saml-nameid.properties file to make the persistent configuration work
> properly?

Nothing, that file is strictly used to control the behavior of persistent and transient NameIDs, neither of which apply to use of email addresses.

-- Scott

More information about the users mailing list