Persistent NameID attribute does not appear to be released.
IAM David Bantz
dabantz at alaska.edu
Wed Apr 8 15:31:24 EDT 2020
Your resolver defines the attribute as a NameID:
<resolver:AttributeEncoder xsi:type="SAML2StringNameID"
and as Mak pointed out, that is what is released:
<saml2:NameID...>trename01</saml2:NameID>
Both the resolver and the SAML assertion have the "persistent" format as
well.
The name "BeyondTrustUsername" is a convenience for your internal use,
it is not the SAML name of the attribute.
I don't know what Beyond Trust is specifically looking for if not a SAML
NameID
with the right format. I've encountered vendors looking at the
"friendlyName"
instead of the name of the attribute. If that's so in your case, you might
add a "friendlyName" to the SAML attribute definition encoder statement.
David Bantz
UA OIT IAM
On Wed, Apr 8, 2020 at 8:44 AM Mathis, Bradley <bmathis at pima.edu> wrote:
> Hi Steve, Ah I see what you mean.. the subject of my email I realize
> wasn't a good description. This is probably due to my lack of
> understanding.... I guess what I'm expecting to see is the Attribute
> "BeyondTrustUsername" being released .... as that is what the SP is trying
> to MAP to username. As you can see in the SAML trace "uid" is being
> released if I try to have the SP map their username to "uid"... it doesn't
> recognize it .. I was thinking it didn't recognize "uid" since it wasn't a
> persistent nameid attribute .....which is why I created the
> "BeyondTrustUsername" attribute. .. which does not appear to be released.
>
> Thanks for your input and patience with my explanations. I'm fairly
> certain I'm confusing some with my incorrect use of terminology and making
> inaccurate assumptions. I must be misunderstanding how the NameId format
> and release of attributes actually work. Any other input is appreciated.
>
>
> Brad Mathis
> IT Systems Architect
> Infrastructure Services - Applications
> Pima Community College
> 520.206.4826
> bmathis at pima.edu
>
>
>
>
>
>
>
> On Wed, Apr 8, 2020 at 8:57 AM Mak, Steve <makst at upenn.edu> wrote:
>
>> It's right here:
>>
>>
>> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="
>> https://idp.pima.edu/idp/shibboleth" SPNameQualifier="
>> https://pima.beyondtrustcloud.com">trename01</saml2:NameID>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> For Consortium Member technical support, see
>> https://wiki.shibboleth.net/confluence/x/coFAAg
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200408/be0676ef/attachment.html>
More information about the users
mailing list