custom nameid formats and metadata-driven config

[Cantor, Scott]

On 8/5/22, 9:16 AM, "users on behalf of Mak, Steven via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:

>    Instead of completely commenting out the RP override, making an RP
> override for this one SP but excluding any NameIDFormatPreferences. Set it
> up for the same SAML2.SSO profile and see if that works.

It will work, certainly, but without much benefit since you'd be back to using overrides instead of the metadata. The rough equivalent that would provide some benefit at least is to use the metadata the "old" way and attach a custom tag attribute, and do an override by *tag*, that happens to not set nameIDFormatPrecedence.

In affect, the tag means "do not apply the default" NameID rule.

I do this for attribute release. Since I had an old default release policy in place, I tag anything that doesn't get that policy. This is effectively similar.

But the "full" fix is simply to undo the bad idea, figure out which SPs actually need a persistent NameID, and get those configured so that the default setting can be removed.

All I can really do is add a warning somewhere mentioning that pretty much by definition you don't want many settings attached to the default profiles.

-- Scott