Disable NameIDGenerator for specificy relyingParty

Peter Schober peter.schober at univie.ac.at
Fri May 22 15:21:21 UTC 2020

* Ignacio Amoeiro Bosch <ignacio.amoeiro at extern.ibsalut.es> [2020-05-22 08:48]:
> c:candidate="urn:federation:MicrosoftOnline"

And M$ really requires persistent NameIDs from you, specifically?

> As a workaround, I have filtered the sourceAttribute used by the
> SAMLPersitentGenerator in attribute-filter.xml

Interesting. I thought persistent NameID (and only those) worked on
/unreleased/ attributes? Because it wouldn't make (privacy) sense to
/also/ release the source attribute to the SP verbatim.

So IMO there's no way to prevent persistent NameIDs to be sent to an
SP using the attribute filter. Maybe I'm missing something?


More information about the users mailing list