Storing persistentId using an HTTP DataConnector
spfma.tech at e.mail.fr
spfma.tech at e.mail.fr
Wed Nov 9 08:46:30 UTC 2022
Hi, Thanks for your help. For now, IdP is just a rich piece of Java software for me. I know a bit about SAML, federations, ... but I still have no clues about the context, why exactly we have one and what SPs are used or not among the different federations we joined. We don't have any SP as far as I know. So I am trying to be ready for anything and learing with trial/errors. If I had some time, I would try to setup a SP and expriment a little. Is there some tool a bit like "aacli" but able to mimic some kind of "dummy SP" ? Only sending forged SAML requests and getting the responses, just for debug and learning purpose. I was not able to find one until now but I don't really know how to name that. Regards
Le 08-Nov-2022 18:12:17 +0100, ndk at signet.id a crit:
You probably want to leave the default as transient, because that is what will apply for service providers that have nothing in particular specified for them.
For this scenario, you could add the preferred format to their metadata, which is probably the best way, they could add it to their AuthnRequests, or you can explicitly put in a relying party definition. It'll follow the selection pattern described in the documentation.
Let me know if you need any more specific assistance,
The Art of Access (R)
From: spf via users
Sent: Tuesday, November 8 2022, 9:54 am
To: users at shibboleth.net
Cc: spfma.tech at e.mail.fr
Subject: Re: Storing persistentId using an HTTP DataConnector
Thank you and Nate.
In fact, I am just a bit dumb and/or blind : I have read these pages a couple of times, edited my saml-nameid.* files even more.
But if I am not able to spot "#idp.nameid.saml2.default = urn:oasis:names:tc:SAML:2.0:nameid-format:transient", what to do ?
So with "idp.nameid.saml2.default = urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" I get the expected result !
Le 08-Nov-2022 16:56:13 +0100, users at shibboleth.net a crit:
* spf via users [2022-11-08 16:30]:
> The only thing I can't undersand for now is how to have a persistent
> NameID in the SAML assertions. If the SAML2PersistentGenerator only
> is enabled, there is even no subject. But if SAML2TransientGenerator
> or both are enabled, I have a
In my conf/saml-nameid.xml within I have multiple *Generator
elements, all "active" in the configuration and used when needed
(based on the NameID selection process Nate pointed you to):
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users