ePTID and ComputedId Persistence After IdP 3.3 -> 3.4 Upgrade

Peter Schober peter.schober at univie.ac.at
Mon Feb 3 15:31:03 EST 2020

* Cantor, Scott <cantor.2 at osu.edu> [2020-02-03 21:22]:
> The one that's really "please stop doing this" is the embedding of a
> NameID inside an AttributeValue, using those XMLObject
> AttributeEncoders, but that's not really going away, it's just a bad
> idea.

AFAIU the OP's case use of the Attribute is down to SPs currently
receiving those. If those SPs were of the Shibboleth implementation of
course they wouldn't even notice being switched over to the proper
format (using the saml-nameid.* mechanism) -- i.e, dumping the
wrapping SAML Attribute -- /unless/ the default config allowing for
that was sabotaged by the deployer...

But even that could be tested out "in advance" to some degree by using
the SP's session initiator and Session handler URLs, e.g.
before and after changing the IDP's config.
(Unless the deployer disabled the Session handler, too, though I have
rarely if ever seen that.)

Of course pretty much all hope is lost for non-Shibboleth SPs.


More information about the users mailing list