IdP implementation roadmap
Andrew Morgan
morgan at orst.edu
Tue Apr 16 12:34:44 EDT 2019
On Tue, 16 Apr 2019, Yakov Revyakin wrote:
> I ask you push me somehow to understand a roadmap:
> 1) How to make Shib IdP and metadata-*less *SP friends?
As others have said, you just create a metadata file by inserting the
entityID and ACS URL of the SP. The IDP operates from metadata, so you'll
need to make metadata somehow.
> 2) How to force the IdP to return the user name inside NameID tag with
> NameIDFormat set to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
This wiki page explains it:
https://wiki.shibboleth.net/confluence/display/IDP30/CustomNameIDGenerationConfiguration
Here is a sample for saml-nameid.xml you might be able to use:
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
p:attributeSourceIds="#{ {'uid'} }">
<property name="activationCondition">
<bean parent="shibboleth.Conditions.OR">
<constructor-arg>
<list>
<bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="https://sp1" />
<bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="https://sp2" />
</list>
</constructor-arg>
</bean>
</property>
</bean>
This will generate an "unspecified" format NameID from the "uid" attribute
for an SP with entityID of "https://sp1" or "https://sp2".
You will also need to add an override to relying-party.xml to force the
use of the "unspecified" NameID for these SPs. That is documented at the
bottom of the wiki page.
Thanks,
Andy
More information about the users
mailing list