various nameid formats

Ramaiah, Vanna G. ramaiah at musc.edu
Wed Mar 22 13:33:31 EDT 2017 

So, for an SP that is requesting uid in nameID , should something like this help if I am using legacy attribute-resolver file?

<resolver:AttributeDefinition id="uidNameId"  xsi:type="ad:Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="sAMAccountName"> 
  <resolver:Dependency ref="myAD" />

          <resolver:AttributeEncoder xsi:type="SAML2StringNameID"          xmlns="urn:mace:shibboleth:2.0:attribute:encoder"   nameFormat="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" />
    </resolver:AttributeDefinition>





-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Wednesday, March 22, 2017 1:25 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: various nameid formats



On 3/22/17, 1:12 PM, "users on behalf of John Dennis" <users-bounces at shibboleth.net on behalf of jdennis at redhat.com> wrote:

> For some of us who are relatively new to SAML and often rely on the 
> SAML specs for our understanding of the technology we lack the context 
> to know what part of the specs are historical baggage or are too under 
> specified to be useful. Is information of this nature collected 
> somewhere? It would really help inform some of our decisions.

Bits and pieces in our documentation probably, but nothing comprehensive. Nobody's paying me to do it, and the market decided it wanted JSON, so my incentive to do this has been pretty low. When SAML 2.1 died for lack of resources, that was my last gasp spent on any cleanup of the standard.

Of late, some of it's being collated into the profiles InCommon has been working on for the last year or so, and I expect there will be very specific language about NameID usage in the deployment profile (maybe even stating "transient" only). But commercial vendors by and large pay zero attention to that, so I don't really expect it to matter. It's targeted at people operating software like ours and offering resources to this community, and our practices are largely aligned in these areas already.

NameIDs are a giant pain, and their only current purpose is logout and in very rare cases attribute queries. That's really most of what there is to say. The edge case has been "persistent", and pairwise ID is so broken that it's increasingly no longer much of a caveat to that statement.

-- Scott


--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list