...
The saml-nameid.xml configuration file defines two list beans, each one an ordered list of "generator" plugins for the two different SAML versions. Each plugin is specific to an identifier Format, a SAML constant that identifies the kind of value being expressed. The generation process involves selecting a list of Formats to try and generate (see Format Selection below), and then trying each Format until an appropriate value is obtained by running each configured generator in order.
Since assertions need not contain a name identifier, it is not an error (from the perspective of the IdP) for all the generators to fail unless the original request contained a <NameIDPolicy>
element with a Format
attribute other than "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
". In that situation, failure to satisy the request results in a particular SAML response status. Note that most SP's asking for this don't mean to be doing it, and even fewer will be able to handle the resulting error.
The default configuration includes generators for "transient" identifiers. These plugins are configured using saml-nameid.properties to control the strategies used to generate and reverse-map the values (the latter only being necessary to support "back-channel" attribute queries).
...
If a <NameIDPolicy>
element with a Format
attribute (other than that "unspecified" example) is supplied, then a suitable matching identifier MUST be generated or an error will be returned to the SP.
...
Localtabgroup | ||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|