AAD and IDP Shibboleth 3.0 integration

Peter Schober peter.schober at univie.ac.at
Fri Mar 13 13:39:48 EDT 2020

* Joseph Fischetti <Joseph.Fischetti at marist.edu> [2020-03-13 15:58]:
> I do believe, if he has an entry in conf/saml-nameid.xml that uses
> the immutableid as the attributeSourceId, that an encoder is
> unnecessary. So, it's possible it's not entirely pointless.

You're right, you can only base NameIDs on attributes defined in the
resolver. I missed that.
Though another error from the log (InvalidNameIDPolicy) suggests that
the NameID config isn't correct (yet), either.

And as mentioned earlier, in v4 the encoders could also have been
moved to the attribute registry (or at least
conf/attributes/default-rules.xml or custom registry rules configured
to be loaded in conf/services.xml), so this kind of thing (having to
guess based on incomplete data in support requests) will be more
common going forward, I guess, since one can (even if one doesn't have
to) put stuff in ever more different places.


More information about the users mailing list