getting desired value into nameID

Mak, Steven makst at upenn.edu
Fri Oct 7 00:48:53 UTC 2022 

If you use the AACLI tool, and omit the –saml2 param, it should show you ALL of the attributes before encoding. Does it show that your EPPN attribute available for release at least?

From: users <users-bounces at shibboleth.net> on behalf of IAM David Bantz via users <users at shibboleth.net>
Date: Thursday, October 6, 2022 at 8:46 PM
To: Shib Users <users at shibboleth.net>
Cc: IAM David Bantz <dabantz at alaska.edu>
Subject: RE: getting desired value into nameID
SP’s metadata in my local cache, yes. And I’ve run these 3 variations:

  *   all 4 policies
  *   no policies
  *   only the emalAddress policy
With what seems to me the appropriate combination of configs:

  *   no NameIDFormat elements in the SP metadata (all removed and verified by log message indicating metadata specifies “[]” format(s)]
  *   saml-nameid generated from eduPersonPrincipalName with emalAddress format, triggered by this entityID
  *   relying party override for this SP entityID to set nameIDFormatPrecendence to emailAddress
the SAML Subject is the long opaque transient ID (with nameid-format:transient) - that is, not using ePPN, not in emailAddress format.

If I remove the relying-party override for no very good reason other than desperate variation, then NO nameID at all is in the SAML Subject.
David

On 06Oct2022 at 16:36:03, "Wessel, Keith via users" <users at shibboleth.net<mailto:users at shibboleth.net>> wrote:
Are you hosting this entity’s metadata yourself? If so, the obvious solution is to pull out the other name ID formats. Then, you won’t have to monkey with relying party overrides. If you aren’t hosting it yourself, I’d ask why not? If it’s not federation metadata, and if I can’t verify a signature on it (which one generally can’t unless it’s coming from someone who really has their act together), I live with the risks of having to manually update it and just download it and put it directly into my local metadata. Then, I can manipulate as needed.
Keith

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221007/2940298a/attachment.htm>

More information about the users mailing list