IdP implementation roadmap

Andrew Morgan morgan at
Tue Apr 16 12:34:44 EDT 2019

On Tue, 16 Apr 2019, Yakov Revyakin wrote:

> I ask you push me somehow to understand a roadmap:
> 1) How to make Shib IdP and metadata-*less *SP friends?

As others have said, you just create a metadata file by inserting the 
entityID and ACS URL of the SP.  The IDP operates from metadata, so you'll 
need to make metadata somehow.

> 2) How to force the IdP to return the user name inside NameID tag with
> NameIDFormat set to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

This wiki page explains it:

Here is a sample for saml-nameid.xml you might be able to use:

   <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
       p:attributeSourceIds="#{ {'uid'} }">
       <property name="activationCondition">
           <bean parent="shibboleth.Conditions.OR">
                       <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="https://sp1" />
                       <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="https://sp2" />

This will generate an "unspecified" format NameID from the "uid" attribute 
for an SP with entityID of "https://sp1" or "https://sp2".

You will also need to add an override to relying-party.xml to force the 
use of the "unspecified" NameID for these SPs.  That is documented at the 
bottom of the wiki page.


More information about the users mailing list