saml-nameid.xml activation condition based on NameID format?
Mak, Steve
makst at upenn.edu
Fri Sep 11 18:12:10 UTC 2020
My IdP has attributes specifically for use in nameID generation separate from the normal attributes.
We control attribute filter release separately for nameID.
Our NameID outcomes require 2 things:
1. SP metadata must indicate preference for a NameID format OR relying party override must set NameID format preference.
2. The specific nameID that can fulfill such formats must be released (allowed) in our filter for that SP.
If an SP requests emailAddress format, but we don't release our nameid-eppn to them, they still get transient or nothing.
If an SP requests emailAddress, or persistent, our filter can choose to release any and the nameid generator will create from whatever nameid source isn't null.
- Steve
More information about the users
mailing list