...
The IdP has a couple of built-in methods (called "strategies" in the configuration) to produce this kind of identifier. The strategy used is controlled with the idp.persistentId.generator property in saml-nameid.properties.
| Warning |
|---|
It's recently come to light that at least someĀ (perhaps many, or even most) applications do not support case-sensitive handling of identifiers. This SAML format is explicitly defined to be case-sensitive, but it is much, much wiser not to expect that. As a result, all current Older versions of the software generate identifiers that would not be wise to use in practicewith the Base64 encoding and this is much less safe, so if you're not already supporting identifiers produced by itthem, you would be wise to either wait for the next update, or to incorporate a different strategy to generate the values that relies on using a Base32 encoding, which is designed to support case-insensitive applications. This capability will be built-in to the next version of the software and enabled by default for new deploymentsNew installs include a property explicitly set to produce Base32 values, but upgrades will continue to use Base64 for compatibility reasons. |
Enabling the Generator
To enable either approach, you will need to uncomment the generator bean in saml-nameid.xml for SAML 2 once you set the appropriate properties highlighted below.
...