<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<font face="Helvetica, Arial, sans-serif">I've got an SP where we
have two different instances each with a different entityID. The
attributes being released from the attribute-filter file are the
same, the replying-party config is the same and the saml-nameid
config is the same.<br>
<br>
Trying to add a third instance (again different entiryID):<br>
<br>
1) In the attribute-filter file we now have the following:<br>
<br>
<PolicyRequirementRule xsi:type="OR"><br>
<Rule xsi:type="Requester" value="entityID#1"
/><br>
<Rule xsi:type="Requester" value="</font><font face="Helvetica, Arial, sans-serif">entityID#2</font><font face="Helvetica, Arial, sans-serif">" /><br>
<Rule xsi:type="Requester" value="</font><font face="Helvetica, Arial, sans-serif"><font face="Helvetica, Arial,
sans-serif">entityID#3</font>" /><br>
<br>
2) In the relying-party file we now have the following:<br>
<br>
<bean parent="RelyingPartyByName"
c:relyingPartyIds="#{{'entityID#1', '</font><font face="Helvetica,
Arial, sans-serif"><font face="Helvetica, Arial, sans-serif">entityID#2</font>','</font><font face="Helvetica, Arial, sans-serif"><font face="Helvetica, Arial,
sans-serif">entityID#3</font>'}}"><br>
<property name="profileConfigurations"><br>
<list><br>
<bean parent="SAML2.SSO"
p:encryptAssertions="false"
p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:postAuthenticationFlows="#{{'vendoraccountblock','graduateaccountblock'}}"/><br>
</list><br>
</property><br>
</bean><br>
<br>
3) In the saml-nameid file we now have the following:<br>
<br>
<bean
parent="shibboleth.SAML2AttributeSourcedGenerator"<br>
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"<br>
p:attributeSourceIds="#{ {'email'} }" ><br>
<property
name="activationCondition"><br>
<bean
parent="shibboleth.Conditions.RelyingPartyId"
c:candidates="#{{'entityID#1', '</font><font face="Helvetica,
Arial, sans-serif"><font face="Helvetica, Arial, sans-serif">entityID#2</font>',
'</font><font face="Helvetica, Arial, sans-serif"><font face="Helvetica, Arial, sans-serif">entityID#3</font>'}}" /><br>
</property><br>
</bean><br>
<br>
<br>
When I run the aacli command for all three entityIDs the following
is returned:<br>
<br>
<saml2:Subject><br>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
NameQualifier="urn:mace:incommon:jmu.edu"
SPNameQualifier="entityID#1"><a class="moz-txt-link-abbreviated" href="mailto:lohrda@jmu.edu">lohrda@jmu.edu</a></saml2:NameID><br>
</saml2:Subject><br>
<br>
</font><font face="Helvetica, Arial, sans-serif"><font face="Helvetica, Arial, sans-serif"> <saml2:Subject><br>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
NameQualifier="urn:mace:incommon:jmu.edu"
SPNameQualifier="entityID#2"><a class="moz-txt-link-abbreviated" href="mailto:lohrda@jmu.edu">lohrda@jmu.edu</a></saml2:NameID><br>
</saml2:Subject><br>
</font></font><br>
<font face="Helvetica, Arial, sans-serif"><font face="Helvetica,
Arial, sans-serif"> <saml2:Subject><br>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
NameQualifier="urn:mace:incommon:jmu.edu"
SPNameQualifier="entityID#3"><a class="moz-txt-link-abbreviated" href="mailto:lohrda@jmu.edu">lohrda@jmu.edu</a></saml2:NameID><br>
</saml2:Subject><br>
<br>
4) In each locally stored metadata file (provided by the vendor
by email for NameID are the following:<br>
<br>
</font></font><font face="Helvetica, Arial, sans-serif"><font face="Helvetica, Arial, sans-serif"><font face="Helvetica,
Arial, sans-serif"><font face="Helvetica, Arial, sans-serif">entityID#1:<br>
<br>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><br>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><br>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><br>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:entity</md:NameIDFormat><br>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><br>
</font></font><br>
entityID#2:<br>
<br>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><br>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><br>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><br>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:entity</md:NameIDFormat><br>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><br>
<br>
</font></font><font face="Helvetica, Arial, sans-serif"><font face="Helvetica, Arial, sans-serif"><font face="Helvetica,
Arial, sans-serif"><font face="Helvetica, Arial, sans-serif">entityID#3:<br>
</font></font><br>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat><br>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat><br>
</font></font><font face="Helvetica, Arial, sans-serif"><font face="Helvetica, Arial, sans-serif"><font face="Helvetica,
Arial, sans-serif"><font face="Helvetica, Arial, sans-serif">
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat><br>
</font></font><br>
<br>
<br>
However when I use the Firefox SAML tracer, and attempt a login
to entityID#3, the NameID is a transient value.<br>
<br>
Why does aacli report for ALL three emailaddress as NameID,
while the SAML tracer reports emailaddress for entity#1 & 2
but transient for #3?<br>
<br>
Thanks,<br>
Don<br>
<br>
</font></font>
<pre class="moz-signature" cols="72">--
D o n a l d L o h r
I n f o r m a t i o n S y s t e m s
J a m e s M a d i s o n U n i v e r s i t y
5 4 0 . 5 6 8 . 3 7 3 0
</pre>
</body>
</html>