saml-nameid.xml: can we default opaque and override for specific SPs
Peter Schober
peter.schober at univie.ac.at
Tue Dec 11 17:47:51 EST 2018
* Paul Fardy <paul.fardy at utoronto.ca> [2018-12-11 23:39]:
> We've been using clear persistent NameIDs for a few SPs and
> transient NamedIDs for most SPs. We want to release an opaque
> persistent NameID. But I've broken the clear NameIDs.
Not what you wanted to head, of course, but note that there's no such
thing as "clear persistent NameIDs" in SAML, the specification
requires that:
"identifiers generated by identity providers MUST be constructed
using values that have no discernible correspondence with the
subject's actual identity (for example, username)"
SAML Core, 8.3.7 Persistent Identifier
So maybe this would be a good time to end this misuse of standard data
structures?
> ... oh, it seems order in saml-nameid.xml fixes it. If
> shibboleth.SAML2PersistentGenerator precedes
> shibboleth.SAML2AttributeSourcedGenerator, then AttributeSourced
> isn't executed. Is that correct? Is that documented?
I don't think that's a correct conclustion, NameID selection is
documented in the wiki:
https://wiki.shibboleth.net/confluence/display/IDP30/NameIDGenerationConfiguration#NameIDGenerationConfiguration-FormatSelectionFormatSelection
> Presumably, order is significant in saml-nameid.xml:
> > p:attributeSourceIds="#{{'attributeAsNameID1', 'attributeAsNameID2', ... }}" />
Not sure what you mean, but I never used an inline list of attribute
names for an SAML2AttributeSourced NameID so far.
> And I think attribute-release.xml would best have only one NameID attribute released for any given SP entityID.
>
> If I release one (or more) attributeAsNameID attributes to an SP,
> that clear attribute will supersede the opaque identifier, *if* it
> AttributeSourcedGen precedes PesistentGen. Correct?
I think the NameID Format Selection documenation referenced above
should explain all that. If not please let us know.
-peter
More information about the users
mailing list