Shibboleth IdP 4.0.1 proxying authentication to Azure AD
cantor.2 at osu.edu
Mon Dec 14 13:26:11 UTC 2020
On 12/11/20, 4:49 PM, "Michael Grady" <mgrady at unicon.net> wrote:
> In the SAML response from Azure AD is this:
Notice there's no NameFormat? That means you would have to explicitly define the saml2.nameFormat property in the rule to reflect that they are (incorrectly) leaving it defaulted to the unspecified constant.
If it hammers home how broken this is, Microsoft (through their stooge at the time from IBM) is the reason that SAML naming includes all these "options" that complicate everything instead of just requiring URIs and leaving it at that.
Additionally, I do realize that adding a transcoding rule means that the IdP will also use that name itself outbound (for something it actually is asserting, probably not this thing specifically). I think we can fix that pretty easily for 4.1 by adding a simple directional property to limit things to inbound or outbound.
More information about the users