mace:shibboleth:1.0:nameIdentifier in 4.0.1 / SAML 2 ?
Christopher Bongaarts
cab at umn.edu
Fri Jan 8 18:59:14 UTC 2021
On 1/8/2021 11:31 AM, Cantor, Scott wrote:
>> Several external services uses this nameid, I will spend a lot of energy making every parties modify their SP.
> I have never heard of anything that*needs* a transient NameID in any Format. That doesn't really make a great deal of sense.
Speaking of not making much sense, we had a pair of SPs that required
(yes really) a NameIDFormat of transient but with a "real" value (our
net ID). Both had invalid entity IDs (some text plus a GUID) as well, to
round out the brokeneity. Sort of the opposite of what's being asked here.
I think one could work around the original request by defining a SAML2
NameID with the expected format string, and using an attribute for the
value from a computedId attribute. You might be in trouble if they need
to do any backchannel functions, though.
--
%% Christopher A. Bongaarts %% cab at umn.edu %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210108/400a09db/attachment.htm>
More information about the users
mailing list