NameID configuration per relying party
Peter Schober
peter.schober at univie.ac.at
Mon Oct 2 05:47:27 EDT 2017
* Boyd, Todd M. <tmboyd1 at ccis.edu> [2017-10-02 03:36]:
> I saw this in the documentation regarding how you would tie a NameID
> format to one or more RPs:
>
> <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
> p:omitQualifiers="true"
> p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
> p:attributeSourceIds="#{ {'mail', 'othermail'} }">
> <property name="activationCondition">
> <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="https://sp.example.com/shibboleth" />
> </property>
> </bean>
>
> ...and based on that wiki page, it seems as though I should use the
> urn:oid for campusPermanentId in the p:format field and the
> attribute I'm pulling from our LDAP query in the
> p:attributeSourceIds field
Yes, e.g. for ePPN it would be p:format="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
> but I'm not sure which configuration file this is supposed to go
> into. Does this go in the saml-nameid.xml file?
Yes, assuming this is for SAML2 within the
util:list/@id="shibboleth.SAML2NameIDGenerators" element.
> Is there anything else I would need to configure aside from this
> bean in order to release campusPermanentId to this RP as the NameID
> in the SAML assertion's subject?
Yes, you'll need to either release the source attribute used to create
the NameID to the SP in question (recommended, as it keeps attribute
release polcies within the attribute filter) or alternatively set
idp.persistentId.useUnfilteredAttributes=true in
saml-nameid.properties to do so for any attribute-sourcesd NameID.
-peter
More information about the users
mailing list