SAML2NameID deprecated (and therefore eduPersonTargetedId?)
cantor.2 at osu.edu
Mon Jun 5 13:38:35 UTC 2023
> Personally I'd rather ask them to start accepting pairwise-id if I
> need to be having that conversation with them, instead of trying to
> get them to the status quo of 2015 CE (when SAML 2.0 was released
> introducing persistent NameIDs).
I get that, but rekeying tends to be impossible in general. My point is that the majority of these SPs are perfectly happy to run along with no changes if the IdP would just *test* it. Certainly in the case of Shibboleth SPs, and it's easy enough to know which are which.
It's one thing to try and get a ton of people to do a ton of work that requires joint coordination and discussion. It's another to flip an option and just run some tests, one by one.
Note that "I don't have access" isn't relevant. That's what impersonation is for. I do it all the time where it's necessary to maintain the operational state of my service.
More information about the users