IDP rely configuration - Adobe suggests a modification of default behaviour - any hints?
Peter Schober
peter.schober at univie.ac.at
Fri Oct 4 07:58:47 EDT 2019
* Cantor, Scott <cantor.2 at osu.edu> [2019-02-12 04:46]:
> > We just went through this here. AFAIK, they require an email address for both
> > the NameID format and the released attribute - and that attribute must be
> > named "Email"
>
> They do not require an email NameID as long as an appropriate value
> is placed in the user's entry in Adobe's system in the FederatedID
> field, and they support standard attribute naming for
> givenName/sn/mail.
Thanks for the above information. Seems this has only now reached our
federation members, at last, judging from recent support requests.
I'll be advising to use the pairwise-id or subject-id URNs as the
NameIDFormat, then.
Does anyone know whether the Okta SP (as used for Adobe Inc.) supports
encryption?
While the generated metadata I've seen does contain a certificate that
comes with the use="signing" restriction (which when paired with
SPSSODescriptor/@AuthnRequestsSigned="false" and no SLO support makes
no sense as there's nothing left for the SP to sign).
Not knowing what (else) might be wrong I was hoping for the
use="signing" to be wrong, too.
-peter
More information about the users
mailing list