getting desired value into nameID
IAM David Bantz
dabantz at alaska.edu
Fri Oct 7 00:46:40 UTC 2022
SP’s metadata in my local cache, yes. And I’ve run these 3 variations:
- all 4 policies
- no policies
- only the emalAddress policy
With what seems to me the appropriate combination of configs:
- no NameIDFormat elements in the SP metadata (all removed and verified
by log message indicating metadata specifies “[]” format(s)]
- saml-nameid generated from eduPersonPrincipalName with emalAddress
format, triggered by this entityID
- relying party override for this SP entityID to set
nameIDFormatPrecendence to emailAddress
the SAML Subject is the long opaque transient ID (with
nameid-format:transient) - that is, not using ePPN, not in emailAddress
format.
If I remove the relying-party override for no very good reason other than
desperate variation, then NO nameID at all is in the SAML Subject.
David
On 06Oct2022 at 16:36:03, "Wessel, Keith via users" <users at shibboleth.net>
wrote:
> Are you hosting this entity’s metadata yourself? If so, the obvious
> solution is to pull out the other name ID formats. Then, you won’t have to
> monkey with relying party overrides. If you aren’t hosting it yourself, I’d
> ask why not? If it’s not federation metadata, and if I can’t verify a
> signature on it (which one generally can’t unless it’s coming from someone
> who really has their act together), I live with the risks of having to
> manually update it and just download it and put it directly into my local
> metadata. Then, I can manipulate as needed.
>
> Keith
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221006/07cf8e06/attachment.htm>
More information about the users
mailing list