mace:shibboleth:1.0:nameIdentifier in 4.0.1 / SAML 2 ?
Louis Chanouha
chanouha at insa-toulouse.fr
Fri Jan 8 09:02:02 UTC 2021
Thanks for your response !
Is there still a way to make Shibb respond
to this nameid request, even with a "ugly hack" ?
Several external
services uses this nameid, I will spend a lot of energy making every
parties modify their SP.
Thanks very much
Louis.
Le 2021-01-07
19:00, Cantor, Scott a écrit :
> On 1/7/21, 12:36 PM, "users on behalf
of Louis Chanouha" <users-bounces at shibboleth.net on behalf of
chanouha at insa-toulouse.fr> wrote:
>
>> I'm experiencing issues with
Shibboleth 4. It doesn't accept "urn:mace:shibboleth:1.0:nameIdentifier"
namePolicy.
>
> Not should it, that's a SAML 1.1 identifier defined by
the project in the old days and there is no NameIDPolicy concept in SAML
1.1, nor even a request message. There is no scenario in which it would
ever appear in any SAML 2.0 exchange.
>
> Secondly, you don't "ask" for
transient, it's a default/fallback used when nothing is needed and in
fact has no purpose in SAML 2.0 apart from logout support, which SAML
1.1 did not have either. Its existence in SAML 1.1 was a Shibboleth
invention to support attribute queries, which are themselves no longer
necessary or used in most cases.
>
> -- Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210108/fd936fc7/attachment.htm>
More information about the users
mailing list