SAML2NameID deprecated (and therefore eduPersonTargetedId?)

Cantor, Scott cantor.2 at
Tue Nov 15 16:20:30 UTC 2022

The scoped pairwise ID subject Attribute isn't the replacement for this, it was replaced a decade ago by simply saying "use a SAML 2.0 persistent NameID". The Shibboleth SP has always treated those as functionally identical down to the syntax in the exported variable.

If there's honestly some crazy piece of code out there that can handle an XML-valued AttributeValue (which nothing ever handled beyond this except for our SP) and can't handle a NameID, then a) that's insane and b) it should get fixed.

I would like to remove this from the IdP, yes. Failing that, moving it into an unsupported plugin that we will not release ourselves but would make the code available for would be my preferred plan B, because if we don't force this, nobody seems willing to do anything about it. It's past time.

-- Scott

More information about the users mailing list