...
| Code Block |
|---|
| xml |
|---|
| title | Custom Name Identifier Attribute Definition |
|---|
| xml |
|---|
|
<resolver:AttributeDefinition id="customId" xsi:type="Simple" sourceAttributeID="uid"
xmlns="urn:mace:shibboleth:2.0:resolver:ad">
<resolver:Dependency ref="DEFINITION_ID_1" />
<resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
<resolver:AttributeEncoder xsi:type="SAML2StringNameID"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
</resolver:AttributeDefinition>
|
| Note |
|---|
The nameFormat choice is essentially arbitrary. SAML defines a few poorly specified options for some common syntaxes like email addresses or distinguished names, but in many cases the best choice is to invent a format that you control, or if you must, use the "unspecified" option as above, or invent one you control. |
The example above is merely one approach. Anything you can attach the necessary encoders to can be turned into an identifier, as long as you're willing to break the reverse mapping capability of the IdP or produce the necessary PrincipalConnector yourself.
...
| Code Block |
|---|
| xml |
|---|
| title | Attribute Filter Policy Releasing Transient ID to Anyone |
|---|
| xml |
|---|
|
<AttributeFilterPolicy id="releaseCustomIdToPartner">
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://sp.example.org/shibboleth" />
<AttributeRule attributeID="customId">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
|