Weird issue with SAML-NAMEID.xml
Baron Fujimoto
baron at hawaii.edu
Sat Jun 4 01:25:17 UTC 2022
I can't speak for others as to why folks don't use a metadata-centric
approach, but for myself, this use of the metadata filter was completely
novel to me until I saw this response.
While the documentation may not suggest using generator beans and
activation conditions (or other non-metadata alternatives), it also, at
least as far as I've encountered, does not obviously point you to a
metadata filter as a best practice for these sorts of situations. Those of
us responsible for making it work do our best with the information we can
find.
The way we accommodated this sort of nameid format issue was to use a
RelyingPartyOverride with a nameIDFormatPrecedence – but now that we're
aware of the metadata filter approach and its recommendation as a preferred
practice, we can explore it. I'm pleased to have learned of it.
On Fri, Jun 3, 2022 at 8:04 AM Cantor, Scott via users <users at shibboleth.net>
wrote:
> You don't do this by touching anything but metadata. Add the relevant
> NameIDFormat to the SP's metadata or add a filter to add it. Done.
>
> Do NOT create one-off NameID generator beans and do not use activation
> conditions to control them. Just because it's possible doesn't mean you
> should ever do it. It's there as an absolute last resort.
>
> The documentation does not in any way suggest doing this, so I don't know
> why people are doing it or what would lead somebody to think it makes
> sense, but it's analagous to creating an LDAP plugin that changes what
> attribute values are served up for a fixed attribute type based on the bind
> DN. Nobody would even think of doing that, and this is the same.
>
> If you create an email Format generator based on the filtered value of
> mail (or whatever attribute you use), then you need not worry about
> anything but releasing the relevant attribute to the SP and making sure its
> metadata stipulates the right Format.
>
> -- Scott
>
>
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
--
Baron Fujimoto <baron at hawaii.edu> ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220603/877dda06/attachment.htm>
More information about the users
mailing list