sign/encrypt assertions attributes not being honoured
Peter Schober
peter.schober at univie.ac.at
Fri Aug 3 06:39:00 EDT 2018
* sshabbir <sshabbir at bmj.com> [2018-08-02 17:17]:
> Update your attribute resolver as below
>
> <AttributeDefinition xsi:type="Simple" id="userName"
> sourceAttributeID="userName">
> <Dependency ref="scriptedAttributeConnector" />
> <AttributeEncoder xsi:type="SAML2String"
> name="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" encodeType="false" />
> </AttributeDefinition>
No, use an encoder that's apppropiate for "userName" in the general
context, i.e., don't special-case what a "userName" is just because
you might /also/ use it as the basis for a NameID sometimes.
(I suggested the formal name of uid/userid from RFC4519, so the name
would be "urn:oid:0.9.2342.19200300.100.1.1" in the encoder, not that
the "unspecified" urn above).
The encoding as a NameID is *not* done in your provided example, here
you merely define an ordinary attribute. It's the reference to this
attribute from saml-nameid.xml that turns it into a NameID when
needed.
> p:encryptNameIDs="false"
Encryption of NameIDs defaults to false for many, many years now, so
you can remove that, simplifying your override a bit.
-peter
More information about the users
mailing list