Current File(s): conf/saml-nameid.xml, conf/saml-nameid.properties
Format: Native Spring
Table of Contents |
---|
Overview
Generation of SAML NameIdentifier/NameID content is handled by the NameIdentifierGeneration service. See the NameIdentifiers topic for a general discussion of name identifiers and a list of specific examples.
...
The saml-nameid.xml configuration file defines two list beans, each one an ordered list of "generator" plugins for the two different SAML versions. Each plugin is specific to an identifier Format, a SAML constant that identifies the kind of value being expressed. The generation process involves selecting a list of Formats to try and generate (see Format Selection below), and then trying each Format until an appropriate value is obtained by running each configured generator in order.
Since assertions need not contain a name identifier, it is not an error (from the perspective of the IdP) for all the generators to fail unless the original request contained a <NameIDPolicy>
element with a Format
attribute other than "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
". In that situation, failure to satisy satisfy the request results in a particular SAML response status. Note that most SP's asking for this don't mean to be doing it, and even fewer will be able to handle the resulting error.
...
In the case of SAML 2, a plugin is present, but commented out, to generate "persistent" identifiers. Certain properties in saml-nameid.properties must be set in order to safely uncomment this plugin (discussed below).
The default configuration also demonstrates how to generate a custom identifier using an arbitrary Format based on an attribute from the attribute resolution process. This plugin also has the capability of selecting the first value present from a list of possible source attributes.
Tip |
---|
In summary:
If you're getting unexpected results, approach the debugging from the perspective of the algorithm: identify which Formats should be getting tried (as indicated by the log), and examine each generator in order to see if it would be expected to produce a given Format. |
...
Otherwise the formats specified in an SP's metadata are filtered against a nameIDFormatPrecedence
profile configuration property , (if set), and the resulting set of Formats is tried in order. That is, the first Format in the profile configuration that is also in the metadata and that results in a valid result will be used. If the profile configuration doesn’t specify anything, then the metadata is used alone.
Default Formats for each SAML version are set via saml-nameid.properties and are used in the event that nothing else is called for. You should not alter that setting in most cases.
...
See the CustomNameIDGenerationConfiguration subtopic for detailed help with this feature.
Reference
Localtabgroup | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Localtab | active | true|||||||||||||||||
Expand | ||||||||||||||||||
| ||||||||||||||||||
Properties defined in saml-nameid.properties to customize various aspects of default identifier generation behavior:
|
Expand | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||
Beans defined in saml-nameid.xml and related system configuration discussed above follow:
|