custom nameid formats and metadata-driven config
Les LaCroix
llacroix at carleton.edu
Thu Aug 4 13:48:32 UTC 2022
Peter, thanks for the quick response. What you suggested was the first
thing I actually tried. If I have the just NameIDFormat in the metadata
and no relying party override, I'm getting a transient subject and not the
uid-based subject.
Our default relying party profile configuration includes:
<bean parent="SAML2.SSO.MDDriven"
p:postAuthenticationFlows="attribute-release"
p:nameIDFormatPrecedence="#{{
'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' }}" />
This is the first time I've defined a custom format. Is it best practice
to add custom formats to the start of the default precedence list?
-Les
<http://www.carleton.edu/>
*Les LaCroix '79*
Strategic Technologist
Information Technology Services
t: (507) 222-5455
On Thu, Aug 4, 2022 at 2:20 AM Peter Schober via users <users at shibboleth.net>
wrote:
> * Peter Schober via users <users at shibboleth.net> [2022-08-04 09:16]:
> > That's covered in plain old SAML 2.0 Metadata itself:
> >
> > <NameIDFormat>urn:oid:0.9.2342.19200300.100.1.1</NameIDFormat>
>
> You also don't need a relying party override to, well, override what's
> in the metadata if you can put the expected format into the metadata
> itself -- only a saml-nameid.xml configuration to generate the desired
> format and metadata that signals the same format (as per above).
> See "NameID format selection" (or something like that) in the wiki.
> -peter
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220804/0445f582/attachment.htm>
More information about the users
mailing list