mace:shibboleth:1.0:nameIdentifier in 4.0.1 / SAML 2 ?
cantor.2 at osu.edu
Thu Jan 7 18:00:33 UTC 2021
On 1/7/21, 12:36 PM, "users on behalf of Louis Chanouha" <users-bounces at shibboleth.net on behalf of chanouha at insa-toulouse.fr> wrote:
> I'm experiencing issues with Shibboleth 4. It doesn't accept "urn:mace:shibboleth:1.0:nameIdentifier" namePolicy.
Not should it, that's a SAML 1.1 identifier defined by the project in the old days and there is no NameIDPolicy concept in SAML 1.1, nor even a request message. There is no scenario in which it would ever appear in any SAML 2.0 exchange.
Secondly, you don't "ask" for transient, it's a default/fallback used when nothing is needed and in fact has no purpose in SAML 2.0 apart from logout support, which SAML 1.1 did not have either. Its existence in SAML 1.1 was a Shibboleth invention to support attribute queries, which are themselves no longer necessary or used in most cases.
More information about the users