Versions Compared

Old Version 4

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version Current

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Determine the Format constant you need to support (note that most of the constants used in SAML contain a "1.1" in the URN and apply to both SAML versions).
  2. Choose one or more attributes to use to supply the identifier's value (e.g. "mail"). The first value found (in order listed) will be used.
  3. Configure your attribute filter policy to release the attribute(s) chosen to the relevant SP(s).

  4. Uncomment or create a generator bean in saml-nameid.xml for SAML 1 and/or SAML 2 as required.

    Code Block
    languagexml
    titleSAML 2.0 E-Mail Format Example
    collapsetrue
    <util:list id="shibboleth.SAML2NameIDGenerators">
	<ref bean="shibboleth.SAML2TransientGenerator" />

	<!-- SAML 2 EXAMPLE -->
    <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
        		p:omitQualifiers="true"
		p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
        		p:attributeSourceIds="#{ {'mail', 'othermail'} }" />
</util:list>

    The format property is self-explanatory and must contain a single value per bean. The attributeSourceIds property is a list of attribute IDs to source the value from (the first value found will be used), and you can embed a comma-delimited list of quoted IDs inside the double braces (see SpringConfiguration). Most custom formats in SAML should generally leave out the NameQualifier and SPNameQualifier attributes and there's a property per above that needs to be set to suppress them.

  5. Lastly, trigger the appropriate Format to be selected by manipulating the selection process described in the NameIDGenerationConfiguration topic. If you control the SP's metadata (which is very common when this use case arises), the best way to do this is by inserting a <NameIDFormat> element into the metadata. If this isn't possible, a nameIDFormatPrecedence profile configuration property can be used in a relying party override definition.

...

Code Block
languagexml
titleExample of a Generator for a specific SP
collapsetrue
    <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
        	p:omitQualifiers="true"
	p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
        	p:attributeSourceIds="#{ {'mail', 'othermail'} }">

		<property name="activationCondition">
			<bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="https://sp.example.com/shibboleth" />
        	</property>
   
</bean>

Dealing with "Unspecified"

...