NameID configuration per relying party

Boyd, Todd M. tmboyd1 at
Sun Oct 1 21:35:31 EDT 2017

I have been tasked with linking up our Shibboleth IdP with a vendor who needs me to pass a plain text persistent identifier for each user in the NameID of our SAML assertions. Our HR department are responsible for entering this value into the vendor's system for each user, and as such, we have to choose an already-existing attribute (so no "generation" per se). I've gone with campusPermanentId, since it's the only commonly-known identifier available that won't change if the username or email address changes (which happens rather frequently). I've been looking through the IdP 3.x documentation, and while it seems entirely possible, I can't quite piece together all of the disparate wiki pages that deal with persistent NameID generation and relying party configuration well enough to come up with a complete solution.

I saw this in the documentation regarding how you would tie a NameID format to one or more RPs:

<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
    p:attributeSourceIds="#{ {'mail', 'othermail'} }"> 
    <property name="activationCondition">
        <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="" />

...and based on that wiki page, it seems as though I should use the urn:oid for campusPermanentId in the p:format field and the attribute I'm pulling from our LDAP query in the p:attributeSourceIds field, but I'm not sure which configuration file this is supposed to go into. Does this go in the saml-nameid.xml file? Is there anything else I would need to configure aside from this bean in order to release campusPermanentId to this RP as the NameID in the SAML assertion's subject?



More information about the users mailing list