About attribute setting to the NameID.

Losen, Stephen C (scl) scl at virginia.edu
Wed Aug 28 06:15:57 EDT 2019 

Hi Tomomi,

Actually you need to do it like this:

SP1 Name ID FORMAT is format1

SP2 Name ID FORMAT is format2

Then define the formats in saml-nameid.xml with their associated attributes. Then release the appropriate attribute(s) to the SP.

Usually the SP does not care about the format, it only pulls out the NameID value. I have defined various NameID formats that use the attribute's urn:oid:... identifier.

Here is a nameid format for "uid":

        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:omitQualifiers="true"
            p:format="urn:oid:0.9.2342.19200300.100.1.1"
            p:attributeSourceIds="#{ {'uid'} }" />

If I specify the nameid format ="urn:oid:0.9.2342.19200300.100.1.1" then the SP gets the "uid" value in the NameID.

You can also define a format with a list of source attributes that are checked in order. You can control which attribute is used in the attribute filter for the SP.

  <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:omitQualifiers="true"
            p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
            p:attributeSourceIds="#{ {'eduPersonPrincipalName', 'email'} }" />

So if I specify the nameid format "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" and then release "eduPersonPrincipalName" then the SP gets a NameID in this format with this attribute value. If I do not release "eduPersonPrincipalName", but do release "email" then the SP gets the email value in the NameID, with this format.

So the IDP works like this:

Get NameID format for the SP (I specify this in the SP metadata if I maintain it locally)

Get NameID definition for the NameID format in saml-nameid.xml

Compare attributes in NameID definition with attributes released to the SP. 

Put value of first matching attribute into the NameID. 


Steve Losen
ITS - Enterprise Infrastructure
University of Virginia
scl at virginia.edu    434-924-0640


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Tomomi
Sent: Wednesday, August 28, 2019 1:43 AM
To: users at shibboleth.net
Subject: RE: About attribute setting to the NameID.

Hi Steve,

Thank you for your answer.

In that case, Can I specify as below.

For example,
SP1
Name ID attribute is "mail".

SP2
Name ID attribute is "userPrincipalName".

Please let me know your advice.

Regards,

Tomomi



--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list