Support for X509SubjectName Name ID
Ullfig, Roberto Alfredo
rullfig at uic.edu
Thu May 14 13:49:18 UTC 2020
If you take on their metadata though then you're responsible for it. certificate expirations, security issues, contact information, etc ....
---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Architecture and Development | ACCC
University of Illinois - Chicago
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott <cantor.2 at osu.edu>
Sent: Thursday, May 14, 2020 8:39 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Support for X509SubjectName Name ID
On 5/14/20, 9:26 AM, "users on behalf of Ullfig, Roberto Alfredo" <users-bounces at shibboleth.net on behalf of rullfig at uic.edu> wrote:
> add bean to saml-nameid.xml
> add nameIDFormatPrecedence to relying-party.xml
I would add it to their metadata; they've proven their metadata is wrong. Trusting incorrect metadata is pretty much the worst thing an IdP can do, so it's a given that their metadata should be locally managed and then you can correct it. This is why I don't allow remote metadata outside of InCommon and some local on-campus feeds.
> Then?...
That's it.
Of course, I wouldn't. I'd tell them to fix their SP unless they can justify the requirement and demonstrate an actual need.
If they want a DN for some good reason, the first problem I have is that I have no such thing to give them, but I would be especially wary of being asked to provide something that isn't a DN and simply mislabeling it. I do not do that under any circumstances. That's a standard violation.
-- Scott
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200514/1824fd04/attachment.htm>
More information about the users
mailing list