Support for X509SubjectName Name ID

Ullfig, Roberto Alfredo rullfig at
Thu May 14 13:49:18 UTC 2020

If you take on their metadata though then you're responsible for it. certificate expirations, security issues, contact information, etc ....

Roberto Ullfig - rullfig at
Systems Administrator
Enterprise Architecture and Development | ACCC
University of Illinois - Chicago
From: users <users-bounces at> on behalf of Cantor, Scott <cantor.2 at>
Sent: Thursday, May 14, 2020 8:39 AM
To: Shib Users <users at>
Subject: Re: Support for X509SubjectName Name ID

On 5/14/20, 9:26 AM, "users on behalf of Ullfig, Roberto Alfredo" <users-bounces at on behalf of rullfig at> wrote:

> add bean to saml-nameid.xml
> add nameIDFormatPrecedence to relying-party.xml

I would add it to their metadata; they've proven their metadata is wrong. Trusting incorrect metadata is pretty much the worst thing an IdP can do, so it's a given that their metadata should be locally managed and then you can correct it. This is why I don't allow remote metadata outside of InCommon and some local on-campus feeds.

> Then?...

That's it.

Of course, I wouldn't. I'd tell them to fix their SP unless they can justify the requirement and demonstrate an actual need.

If they want a DN for some good reason, the first problem I have is that I have no such thing to give them, but I would be especially wary of being asked to provide something that isn't a DN and simply mislabeling it. I do not do that under any circumstances. That's a standard violation.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list