Persistent NameID
Cantor, Scott
cantor.2 at osu.edu
Thu Feb 16 17:47:27 EST 2017
> I am definitely feeling much better about Shibboleth now after digging
> through the links that were provided last week. I appreciate every who took
> the time to respond. I have everything setup and working so far. The final
> piece of the puzzle is the NameID. Our SP requires a persistent NameID and
> it wants it in the format of an email address.
A persistent ID in SAML is a specific thing that cannot be an email address. That term has a very precise meaning.
Aside from that, there are few identifiers less persistent in the technical sense than email address, since they're frequently name-based and change often, but regardless of one's perspective on them, they are not "persistent" NameIDs.
SAML already has a Format constant defined for email addresses used as a NameID.
> Digging through the documentation on NameID’s it mentions using a
> database to store Persistent NameIDs. It looks like there is quite a bit of
> things that can happen with these NameIDs. I don’t want to create a hash or
> do anything like that, since the information is already sitting in Active
> Directory and is being returned then I don’t feel like a database is honestly
> required here. If it is that is fine and I can easily get this all setup based on the
> wiki.
Yes, which is why what you're talking about is not a persistent NameID.
> Do I need to setup a database server just to use Persistent NameID’s?
You don't need to set one up to use Persistent NameIDs, but you do not want to use them anyway.
> I see the shibboleth.SAML2AttributeSourcedGenerator in the saml-
> nameid.xml file. It is using mail as the nameid there. Can I just uncomment
> the shibboleth.SAML2PersistentGenerator and the above mentioned bean
> right below it and be good?
Basically.
> If I want to use mail for a persistent NameID what do I need to do in the
> saml-nameid.properties file to make the persistent configuration work
> properly?
Nothing, that file is strictly used to control the behavior of persistent and transient NameIDs, neither of which apply to use of email addresses.
-- Scott
More information about the users
mailing list