Persistent NameID attribute does not appear to be released.
IAM David Bantz
dabantz at alaska.edu
Wed Apr 8 15:31:24 EDT 2020
Your resolver defines the attribute as a NameID:
and as Mak pointed out, that is what is released:
Both the resolver and the SAML assertion have the "persistent" format as
The name "BeyondTrustUsername" is a convenience for your internal use,
it is not the SAML name of the attribute.
I don't know what Beyond Trust is specifically looking for if not a SAML
with the right format. I've encountered vendors looking at the
instead of the name of the attribute. If that's so in your case, you might
add a "friendlyName" to the SAML attribute definition encoder statement.
UA OIT IAM
On Wed, Apr 8, 2020 at 8:44 AM Mathis, Bradley <bmathis at pima.edu> wrote:
> Hi Steve, Ah I see what you mean.. the subject of my email I realize
> wasn't a good description. This is probably due to my lack of
> understanding.... I guess what I'm expecting to see is the Attribute
> "BeyondTrustUsername" being released .... as that is what the SP is trying
> to MAP to username. As you can see in the SAML trace "uid" is being
> released if I try to have the SP map their username to "uid"... it doesn't
> recognize it .. I was thinking it didn't recognize "uid" since it wasn't a
> persistent nameid attribute .....which is why I created the
> "BeyondTrustUsername" attribute. .. which does not appear to be released.
> Thanks for your input and patience with my explanations. I'm fairly
> certain I'm confusing some with my incorrect use of terminology and making
> inaccurate assumptions. I must be misunderstanding how the NameId format
> and release of attributes actually work. Any other input is appreciated.
> Brad Mathis
> IT Systems Architect
> Infrastructure Services - Applications
> Pima Community College
> bmathis at pima.edu
> On Wed, Apr 8, 2020 at 8:57 AM Mak, Steve <makst at upenn.edu> wrote:
>> It's right here:
>> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="
>> https://idp.pima.edu/idp/shibboleth" SPNameQualifier="
>> For Consortium Member technical support, see
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users