...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<!-- SAML 2 NameID Generation -->
<util:list id="shibboleth.SAML2NameIDGenerators">
<ref bean="shibboleth.SAML2TransientGenerator" />
<!--
<ref bean="shibboleth.SAML2PersistentGenerator" />
-->
<!--
Add custom support for email-based NameID, assumes you've released
the source attribute (mail) to any SPs expecting to get it.
-->
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'mail'} }"
<property name="activationCondition">
<bean parent="shibboleth.Conditions.RelyingPartyId" c:candidates="#{{'https://www.okta.com/saml2/service-provider/xxxxxxxxxxxxxxxxxxxx'}}" />
</property>
</bean>
</util:list> |
Attribute
...
Requirements
In addition to the mail attribute and NameIdentifier. The Adobe documentation suggests that attributes with the name FirstName and LastName are required. However, the SP does support the follow standard attributes with NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
...
The following is an example attibuteattribute-filter configuration
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<!-- Adobe Cloud SP -->
<AttributeFilterPolicy id="AdobeCloudSP">
<PolicyRequirementRule xsi:type="Requester" value="https://www.okta.com/saml2/service-provider/xxxxxxxxxxxxxxxxxxxx" />
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="sn">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
|
...