saml-nameid.xml: can we default opaque and override for specific SPs

[Cantor, Scott]

On 12/11/18, 5:39 PM, "users on behalf of Paul Fardy" <users-bounces at shibboleth.net on behalf of paul.fardy at utoronto.ca> wrote:

>... oh, it seems order in saml-nameid.xml fixes it. If shibboleth.SAML2PersistentGenerator precedes > shibboleth.SAML2AttributeSourcedGenerator, then AttributeSourced isn't executed. Is that correct? Is that documented?

The order is only significant when multiple generators produce the same Format (and that should almost never be true). But if they did, it would use the result of the first one that produced the Format required to satisfy the request. It makes no sense to do that since the later one wouldn't ever be used. It's only sensible if there are activationConditions in effect that are limiting when they might apply, and that's not good. The production of values for a given Format shouldn't depend on the relying party. If you're doing that sort of craziness, stop, it's just terrible practice.

> If I release one (or more) attributeAsNameID attributes to an SP, that clear attribute will supersede the opaque
> identifier, *if* it AttributeSourcedGen precedes PesistentGen. Correct?

"opaque" and "clear" are properties of a given data item. An AttributeSourced generator could produce an opaque value just as easily as not. It's true that by design the Persistent generators produce opaque values, but those (and Transient generators) are the exceptions.

-- Scott