AttributeDefinition xsi:type = SAML2NameID

Donald Lohr lohrda at jmu.edu
Tue Oct 18 18:59:10 UTC 2022 

1) In our attribute-resolver.xml file is the following definition:

<AttributeDefinition xsi:type="SAML2NameID" id="*eduPersonTargetedID*" 
nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
     <InputDataConnector ref="ComputedIDConnector" 
attributeNames="ComputedID"/>
     <AttributeEncoder xsi:type="SAML2XMLObject" 
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" 
friendlyName="*eduPersonTargetedID*" />
</AttributeDefinition>

2) In the default attribute release payload in our attribute-filter.xml 
file is the following:

<AttributeRule attributeID="*eduPersonTargetedID*"><PermitValueRule 
xsi:type="ANY" /></AttributeRule>

3) Using the Firefox SAML tracer, I see in the saml2:AttributeStatement 
the following:

<saml2:AttributeStatement>

     <saml2:Attribute FriendlyName="*eduPersonTargetedID*"
                      Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                      >
         <saml2:AttributeValue>
             <saml2:NameID 
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="urn:mace:incommon:jmu.edu"
SPNameQualifier="https://demo.jmu.edu/sso/"
 >Tilw+llggW2JJUhjwrSWO/RBkyk=</saml2:NameID>
         </saml2:AttributeValue>
</saml2:Attribute></saml2:AttributeStatement>

3) Using the aacli command, I see in the saml2:AttributeStatement the 
following:

     <saml2:AttributeStatement>

         <saml2:Attribute FriendlyName="*eduPersonTargetedID*" 
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
             <saml2:AttributeValue>
                 <saml2:NameID 
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" 
NameQualifier="urn:mace:incommon:jmu.edu" 
SPNameQualifier="https://demo.jmu.edu/sso/">Tilw+llggW2JJUhjwrSWO/RBkyk=</saml2:NameID>
             </saml2:AttributeValue>
         </saml2:Attribute>

     </saml2:AttributeStatement>


What's the advantage of configuring an attribute in the 
attribute-resolver.xml file as a *SAML2NameID* type?

When I use the aacli command on many of our InCommon Federation member 
entityIDs that are getting our Default attribute payload, the 
saml2:Subject NameID Format seems to mostly be transient value.

Right / wrong / indifferent, no reference is made to the 
eduPersonTargetedID attribute in our saml-nameid.xml file or 
relying-party.xml file.

Just trying to get my head around why my predecessors configured things 
the way they did.

Thanks,
Don


-- 
D o n a l d   L o h r
I n f o r m a t i o n   S y s t e m s
J a m e s   M a d i s o n   U n i v e r s i t y
5 4 0 . 5 6 8 . 3 7 3 0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221018/d4daffff/attachment.htm>

More information about the users mailing list