...
An identifier that is neither "transient" nor "persistent" format is of a more general category referred to for convenience in this documentation as a "custom" identifier. Plugins are included for generating a custom identifier based on an attribute produced by the attribute resolution process. In most cases, this should be sufficient. In unusual scenarios, you may also build your own generator plugin, but this should rarely be necessary.
By default, support for custom identifiers is included in saml-nameid.xml but is only partially configured and commented out (because the specifics are a local matter). In the process outlined below, you will create/uncomment one or more copies of the custom generator bean(s) appropriately, and ensure the underlying source attribute(s) are released to the applicable relying parties.
Note |
---|
There are no properties relevant to the use of custom identifiers in saml-nameid.properties, so do not be distracted by that content; those settings apply only to the use of "transient" and "persistent" format identifiers. |
General Procedure
...
- Determine the Format constant you need to support (note that most of the constants used in SAML contain a "1.1" in the URN and apply to both SAML versions).
- Choose one or more attributes to use to supply the identifier's value (e.g. "mail"). The first value found (in order listed) will be used.
- Configure your attribute filter policy to release the attribute(s) chosen to the relevant SP(s).
Uncomment or create a generator bean in saml-nameid.xml for SAML 1 and/or SAML 2 as required.
Code Block language xml title SAML 2.0 E-Mail Format Example collapse true <util:list id="shibboleth.SAML2NameIDGenerators"> <ref bean="shibboleth.SAML2TransientGenerator" /> <!-- SAML 2 EXAMPLE --> <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:attributeSourceIds="#{ {'mail', 'othermail'} }" /> </util:list>
The
format
property is self-explanatory and must contain a single value per bean. TheattributeSourceIds
property is a list of attribute IDs to source the value from (the first value found will be used), and you can embed a comma-delimited list of quoted IDs inside the double braces (see SpringConfiguration).- Lastly, trigger the appropriate Format to be selected by manipulating the selection process described in the NameIDGenerationConfiguration topic. If you control the SP's metadata (which is very common when this use case arises), the best way to do this is by inserting a
<NameIDFormat>
element into the metadata. If this isn't possible, anameIDFormatPrecedence
profile configuration property can be used in a relying party override definition.
The process above requires that you explicitly release the attribute to use as a source in your filter policy. If you wish, you can avoid this step by using a generator property (useUnfilteredAttributes
) that allows an unreleased attribute to be used as a source, but note that doing so creates a sort of "pseudo-policy" exposing information to an SP outside of the normal filtering process.
Dealing with Conflicting Requirements
...