saml-nameid.xml activation condition based on NameID format?

Mak, Steve makst at upenn.edu
Fri Sep 11 18:12:10 UTC 2020


My IdP has attributes specifically for use in nameID generation separate from the normal attributes.

We control attribute filter release separately for nameID.

Our NameID outcomes require 2 things:
1. SP metadata must indicate preference for a NameID format OR relying party override must set NameID format preference.
2. The specific nameID that can fulfill such formats must be released (allowed) in our filter for that SP.


If an SP requests emailAddress format, but we don't release our nameid-eppn to them, they still get transient or nothing.

If an SP requests emailAddress, or persistent, our filter can choose to release any and the nameid generator will create from whatever nameid source isn't null.

- Steve



More information about the users mailing list