Versions Compared

Old Version 3

changes.mady.by.user simlu@su.se

Saved on

compared with

New Version 4

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

An identifier that is neither "transient" nor "persistent" format is of a more general category referred to for convenience in this documentation as a "custom" identifier. Plugins are included for generating a custom identifier based on an attribute produced by the attribute resolution process. In most cases, this should be sufficient. In unusual scenarios, you may also build your own generator plugin, but this should rarely be necessary.

By default, support for custom identifiers is included in saml-nameid.xml but is only partially configured and commented out (because the specifics are a local matter). In the process outlined below, you will create/uncomment one or more copies of the custom generator bean(s) appropriately, and ensure the underlying source attribute(s) are released to the applicable relying parties.

Note

There are no properties relevant to the use of custom identifiers in saml-nameid.properties, so do not be distracted by that content; those settings apply only to the use of "transient" and "persistent" format identifiers.

General Procedure

...

  1. Determine the Format constant you need to support (note that most of the constants used in SAML contain a "1.1" in the URN and apply to both SAML versions).
  2. Choose one or more attributes to use to supply the identifier's value (e.g. "mail"). The first value found (in order listed) will be used.
  3. Configure your attribute filter policy to release the attribute(s) chosen to the relevant SP(s).

  4. Uncomment or create a generator bean in saml-nameid.xml for SAML 1 and/or SAML 2 as required.

    Code Block
    languagexml
    titleSAML 2.0 E-Mail Format Example
    collapsetrue
    <util:list id="shibboleth.SAML2NameIDGenerators">
	<ref bean="shibboleth.SAML2TransientGenerator" />

	<!-- SAML 2 EXAMPLE -->
    <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
        p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
        p:attributeSourceIds="#{ {'mail', 'othermail'} }" />
</util:list>

    The format property is self-explanatory and must contain a single value per bean. The attributeSourceIds property is a list of attribute IDs to source the value from (the first value found will be used), and you can embed a comma-delimited list of quoted IDs inside the double braces (see SpringConfiguration).

  5. Lastly, trigger the appropriate Format to be selected by manipulating the selection process described in the NameIDGenerationConfiguration topic. If you control the SP's metadata (which is very common when this use case arises), the best way to do this is by inserting a <NameIDFormat> element into the metadata. If this isn't possible, a nameIDFormatPrecedence profile configuration property can be used in a relying party override definition.

The process above requires that you explicitly release the attribute to use as a source in your filter policy. If you wish, you can avoid this step by using a generator property (useUnfilteredAttributes) that allows an unreleased attribute to be used as a source, but note that doing so creates a sort of "pseudo-policy" exposing information to an SP outside of the normal filtering process.

Dealing with Conflicting Requirements

...