Options specific to the SAML 2.0 Single Logout profile:
Name | Type | Default | Description |
---|---|---|---|
qualifiedNameIDFormats | Collection<String> | See below |
Guidance
The qualifiedNameIDFormats
option was added to deal with an interoperability issue involving the matching of SAML <NameID>
elements between the values issued by the IdP and values received in <LogoutRequest>
messages. The two have to "match", and the IdP was imposing a strict rule that required all the various bits of a <NameID>
to be equal, which is the conservative approach, but it relies on SPs not modifying the data they receive unnecessarily.
While that's the expected behavior, not all SPs do this correctly, and there are some edge cases in the standard whereby some <NameID>
Formats are defined in such a way that the NameQualifier
and SPNameQualifier
attributes are permitted to "default" to values based on the entityIDs of the IdP and SP at runtime.
The IdP now supports this defaulting during its logout comparisons for the two Formats for which this defaulting is explicitly defined in the standard, namely "persistent" and "transient". The configuration option allows deployers to add additional custom Formats to the set for which this behavior is in effect.
While it is possible to add additional standard Formats to this set, it bears noting that none of them are defined by the standard to be compared in that fashion. They shouldn't even have qualifiers, in fact.