md:NameIDFormat w/ IdP 3.3

Tom Poage tfpoage at ucdavis.edu
Fri Jan 20 15:22:01 EST 2017


IdP 3.3

SP metadata (inadvertently) loaded with a single NameIDFormat element:

urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified

and noticed on login that no NameID is sent:

        <saml2:Subject>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData Address="128.120.NN.MMM"
                    InResponseTo="_cc04014d-6902-4a64-b655-ed739d66b1c2"
                    NotOnOrAfter="2017-01-20T20:03:12.856Z" Recipient="https://ucdavis.xxxxxxx.com/..."/>
            </saml2:SubjectConfirmation>
        </saml2:Subject>

If this NameIDFormat is commented out/removed in the metadata entry, then transient-id is sent in the Subject:

        <saml2:Subject>
            <saml2:NameID
                Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                NameQualifier="urn:mace:incommon:ucdavis.edu"
                SPNameQualifier="xxxxxxx.com" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">AAdzZ...</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData Address="128.120.NN.MMM"
                    InResponseTo="_4cebe093-f697-48f1-a0a8-3b8dc1ba27a7"
                    NotOnOrAfter="2017-01-20T20:08:17.117Z" Recipient="https://ucdavis.xxxxxxx.com/..."/>
            </saml2:SubjectConfirmation>
        </saml2:Subject>

Had it in my head that 'unspecified' is ignored, suggesting in the absence of any other NameIDFormat/NameID overrides, it falls back to transient-id.

Is this not the case?

Thanks.
Tom.


More information about the users mailing list