NameID configuration per relying party

Boyd, Todd M. tmboyd1 at ccis.edu
Mon Oct 2 10:04:17 EDT 2017 

Correct--it was a custom format that I wanted, not a persistent format. The campusPermanentId certainly isn't "pairwise."

I think part of the issue here is that this RP has provided no metadata, and rather than creating an "open" IdP, I created a metadata file by hand after much excruciating back-and-forth with the vendor. Nonetheless, I do now have it sending campusPermanentId in the NameID of the Subject. The piece I was missing at last was to set the NameIDFormat in the metadata for the RP.

I'll gladly go through the pages I was researching in the Wiki and see if there's anything that could be added or clarified.


-Todd


-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Monday, October 02, 2017 8:32 AM
To: Shib Users <users at shibboleth.net>
Subject: RE: NameID configuration per relying party

> I can't quite piece together all of the disparate wiki pages that deal 
> with persistent NameID generation and relying party configuration well 
> enough to come up with a complete solution.

"Persistent" in SAML means pairwise. I don't think you are clear here about what you really need to do.

> ...and based on that wiki page, it seems as though I should use the 
> urn:oid for campusPermanentId in the p:format field and the attribute 
> I'm pulling from our LDAP query in the p:attributeSourceIds field, but 
> I'm not sure which configuration file this is supposed to go into. 
> Does this go in the saml- nameid.xml file?

If there's an example you're looking at that doesn't say outright what file it's referring to, you can either fix that yourself if you care to or report it in JIRA as a documentation bug. That is always the intention with any examples, they're not just meant to be absent of any context for what file they're talking about. I'll look at the NameID pages and see if I spot anything.

But no, I doubt this is correct. A "persistent" NameID has its own Format in SAML, you don't change it to something else. Do you want "persistent" or do you want a "custom" Format? That's a very different process.

>  Is there anything else I would need to configure aside from this bean 
> in order to release campusPermanentId to this RP as the NameID in the 
> SAML assertion's subject?

You always have to trigger Format selection. That is a separate task from defining how a particular Format is to be generated. That is documented in detail in the NameID generation page.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list