Shibboleth IdP 4.0.1 proxying authentication to Azure AD

Cantor, Scott cantor.2 at
Mon Dec 14 13:26:11 UTC 2020

On 12/11/20, 4:49 PM, "Michael Grady" <mgrady at> wrote:

>    In the SAML response from Azure AD is this:

Notice there's no NameFormat? That means you would have to explicitly define the saml2.nameFormat property in the rule to reflect that they are (incorrectly) leaving it defaulted to the unspecified constant.

If it hammers home how broken this is, Microsoft (through their stooge at the time from IBM) is the reason that SAML naming includes all these "options" that complicate everything instead of just requiring URIs and leaving it at that.

Additionally, I do realize that adding a transcoding rule means that the IdP will also use that name itself outbound (for something it actually is asserting, probably not this thing specifically). I think we can fix that pretty easily for 4.1 by adding a simple directional property to limit things to inbound or outbound.

-- Scott

More information about the users mailing list