Configuring shibboleth SP NameID format persistent
Cantor, Scott
cantor.2 at osu.edu
Tue Jun 16 19:43:11 UTC 2020
On 6/16/20, 2:49 PM, "users on behalf of Feinstein, Moses" <users-bounces at shibboleth.net on behalf of moses.feinstein at touro.edu> wrote:
> Based on your response below, possibly you can clarify for me the following:
The SP, rightly or wrongly, claims it requires a SAML 2 persistent NameID. Your configuration is producing a Format constant with 1.1 in the string instead of 2.0, and they don't match, ergo, error. What you're producing is wrong so you should fix the IdP.
There's no place in the IdP configuration that requires supplying that constant, it's built-in to the persistent NameID generation plugins that are present and commented by default. So I don't know why it's there or where, but it's incorrect because of a cut and paste error.
> Q1. Does the vendor authentication request looks valid to you? Even though my shibboleth IdP is configured to reply
> with "persistent" nameid format,
Yes, it's valid (which is not the same as "right", because I doubt they actually require it).
No, the IdP is configured to produce a Format that doesn't match the standard or what the SP is requesting. Close doesn't match.
> Q2. can provide any documentation reference which can accomplish this type of request in Shibboleth SP?
SP wiki -> search for NameIDFormat
Set it as a content setting anywhere they apply (<SSO> element, RequestMap, Apache via ShibRequestSetting), or redirect to /Shibboleth.sso/Login?NameIDFormat=<format>
--- Scott
More information about the users
mailing list