saml-nameid.xml: can we default opaque and override for specific SPs

Peter Schober peter.schober at
Tue Dec 11 17:47:51 EST 2018

* Paul Fardy <paul.fardy at> [2018-12-11 23:39]:
> We've been using clear persistent NameIDs for a few SPs and
> transient NamedIDs for most SPs. We want to release an opaque
> persistent NameID. But I've broken the clear NameIDs.

Not what you wanted to head, of course, but note that there's no such
thing as "clear persistent NameIDs" in SAML, the specification
requires that:

  "identifiers generated by identity providers MUST be constructed
  using values that have no discernible correspondence with the
  subject's actual identity (for example, username)"
  SAML Core, 8.3.7 Persistent Identifier

So maybe this would be a good time to end this misuse of standard data

> ... oh, it seems order in saml-nameid.xml fixes it. If
> shibboleth.SAML2PersistentGenerator precedes
> shibboleth.SAML2AttributeSourcedGenerator, then AttributeSourced
> isn't executed. Is that correct? Is that documented?

I don't think that's a correct conclustion, NameID selection is
documented in the wiki:

> Presumably, order is significant in saml-nameid.xml:
> > p:attributeSourceIds="#{{'attributeAsNameID1', 'attributeAsNameID2', ... }}" />

Not sure what you mean, but I never used an inline list of attribute
names for an SAML2AttributeSourced NameID so far.

> And I think attribute-release.xml would best have only one NameID attribute released for any given SP entityID.
> If I release one (or more) attributeAsNameID attributes to an SP,
> that clear attribute will supersede the opaque identifier, *if* it
> AttributeSourcedGen precedes PesistentGen. Correct?

I think the NameID Format Selection documenation referenced above
should explain all that. If not please let us know.


More information about the users mailing list