custom nameid formats and metadata-driven config

[Cantor, Scott]

On 8/4/22, 9:49 AM, "users on behalf of Les LaCroix via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:

>  This is the first time I've defined a custom format.  Is it best practice to add
> custom formats to the start of the default precedence list?

No, the best practice is not using one at all, the metadata is used instead. Your default rule is overriding everything else, the profile setting is the first thing checked.

You've created a scenario where you have no choice but to do carve outs with overrides now for everything because you can't risk breaking all the SPs that might actually need that persistent NameID.  That's hard to climb down from unless you have knowledge of the systems, or are willing to break things.

-- Scott