Problem with urn:oasis:names:tc:SAML:2.0:nameid-format:persistent?

Nate Klingenstein ndk at
Sat Jan 9 21:12:11 UTC 2021


It depends entirely on how the applications are designed.  If they(or their SPs) are only looking for an attribute, especially with a URN reserved for userPrincipalName, they're not going to find it.  If they're looking for a NameID with the same URN, they will.  If they were looking for either, they're fine.

A Shibboleth configuration can map them to the same environment variable, so applications wouldn't even notice the change.

If you were just looking for userPrincipalName in your applications or SP's, then the best realistic option is to pull that attribute from the directory and send it using the attribute resolver and attribute filter, and get rid of anything related to persistentID's in metadata and your AuthnRequests.  If you're trying to send userPrincipalName as a persistentID, that's not an appropriate use of the specification, but you would do it with an attribute-based NameID generator and an attribute definition and release filter, similar to what was in your original email for other attributes and the unspecified format.

So, nobody can answer that question except for you.

Take care,

Signet, Inc.
The Art of Access ®

More information about the users mailing list