Storing persistentId using an HTTP DataConnector at at
Wed Nov 9 08:46:30 UTC 2022

Hi,   Thanks for your help.   For now, IdP is just a rich piece of Java software for me. I know a bit about SAML, federations, ... but I still have no clues about the context, why exactly we have one and what SPs are used or not among the different federations we joined.   We don't have any SP as far as I know. So I am trying to be ready for anything and learing with trial/errors.    If I had some time, I would try to setup a SP and expriment a little.   Is there some tool a bit like "aacli" but able to mimic some kind of "dummy SP" ? Only sending forged SAML requests and getting the responses, just for debug and learning purpose.   I was not able to find one until now but I don't really know how to name that.   Regards

Le 08-Nov-2022 18:12:17 +0100, ndk at a crit: 

You probably want to leave the default as transient, because that is what will apply for service providers that have nothing in particular specified for them.

For this scenario, you could add the preferred format to their metadata, which is probably the best way, they could add it to their AuthnRequests, or you can explicitly put in a relying party definition. It'll follow the selection pattern described in the documentation.


Let me know if you need any more specific assistance,

Signet, Inc.
The Art of Access (R)

-----Original message-----
From: spf via users
Sent: Tuesday, November 8 2022, 9:54 am
To: users at
Cc: at
Subject: Re: Storing persistentId using an HTTP DataConnector

Thank you and Nate.

In fact, I am just a bit dumb and/or blind : I have read these pages a couple of times, edited my saml-nameid.* files even more.

But if I am not able to spot "#idp.nameid.saml2.default = urn:oasis:names:tc:SAML:2.0:nameid-format:transient", what to do ?

So with "idp.nameid.saml2.default = urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" I get the expected result !


Le 08-Nov-2022 16:56:13 +0100, users at a crit:

* spf via users  [2022-11-08 16:30]:
> The only thing I can't undersand for now is how to have a persistent
> NameID in the SAML assertions. If the SAML2PersistentGenerator only
> is enabled, there is even no subject. But if SAML2TransientGenerator
> or both are enabled, I have a

In my conf/saml-nameid.xml within  I have multiple *Generator
elements, all "active" in the configuration and used when needed
(based on the NameID selection process Nate pointed you to):
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list