SAML2StringNameID will be removed
Peter Schober
peter.schober at univie.ac.at
Mon Dec 17 17:07:25 EST 2018
* sherrera <sherrera at bradley.edu> [2018-12-17 22:49]:
> <AttributeDefinition xsi:type="Simple" id="bitEmail">
> <InputDataConnector ref="myLDAP" attributeNames="mail"/>
> <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
> <AttributeEncoder xsi:type="SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
> </AttributeDefinition>
>
> I've been researching NameID Generation service but it still escapes me. I
> believe I need to uncomment the PersistentGenerator in saml-nameid.xml to
> begin with.
This has nothing to do with persistent NameIDs. The above are
"attribute-based", so that's what you'd use on saml-nameid.xml
> Then where I'm not sure is how to transition away from
> xsi:type="SAML2StringNameID and tie that entry back to my
> "bitEmail". What would an example entry look like for this?
<util:list id="shibboleth.SAML2NameIDGenerators">
<ref bean="shibboleth.SAML2TransientGenerator" />
<!-- Others you might be using -->
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:omitQualifiers="true"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'mail'} }" />
</util:list>
Remove the second encoder above and reload both the resolver and the
nameid configuration. Make sure you release "bitEmail" to the desired
SP.
If the SP has the provided NameIDFormat listed in its metadata that's
all you'd need to do. Test with aacli.sh using the --saml2 parameter
to see the actual NameID that would go out.
-peter
More information about the users
mailing list