NameID configuration per relying party

Peter Schober peter.schober at
Mon Oct 2 05:47:27 EDT 2017

* Boyd, Todd M. <tmboyd1 at> [2017-10-02 03:36]:
> I saw this in the documentation regarding how you would tie a NameID
> format to one or more RPs:
> <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
>     p:omitQualifiers="true"
>     p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
>     p:attributeSourceIds="#{ {'mail', 'othermail'} }"> 
>     <property name="activationCondition">
>         <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="" />
>     </property>
> </bean>
> ...and based on that wiki page, it seems as though I should use the
> urn:oid for campusPermanentId in the p:format field and the
> attribute I'm pulling from our LDAP query in the
> p:attributeSourceIds field

Yes, e.g. for ePPN it would be p:format="urn:oid:"

> but I'm not sure which configuration file this is supposed to go
> into. Does this go in the saml-nameid.xml file?

Yes, assuming this is for SAML2 within the
util:list/@id="shibboleth.SAML2NameIDGenerators" element.

> Is there anything else I would need to configure aside from this
> bean in order to release campusPermanentId to this RP as the NameID
> in the SAML assertion's subject?

Yes, you'll need to either release the source attribute used to create
the NameID to the SP in question (recommended, as it keeps attribute
release polcies within the attribute filter) or alternatively set
idp.persistentId.useUnfilteredAttributes=true in to do so for any attribute-sourcesd NameID.


More information about the users mailing list