[CAS SAML] Does CAS support "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameIDFormat?
32 views
Skip to first unread message
Andy Ng
Oct 31, 2018, 2:58:58 AM10/31/18
to CAS Community
Hi all,
Server Info:
CAS 5.2.x
Background:
Recently our CAS is going to join up with an identity federation as an SAML idp, and I am in charge of checking the compliance in order for us to join.
Most of the items can be check off quickly and I understand the requirements, however I have the difficult finding support for the following requirement:
Requirement > Identity Providers SHOULD support the urn:oasis:names:tc:SAML:2.0:nameid-format:persistent name identifier format
Our CAS server metadata is using the one generated by CAS, so it is basically the same as
And from what I understand, the only supported Name ID is as follows:
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
And urn:oasis:names:tc:SAML:2.0:nameid-format:persistent is not enabled by default.
Question:
I would like to know the following:
1. if CAS support urn:oasis:names:tc:SAML:2.0:nameid-format:persistent? I would think so, because it is stated clearly on the official CAS doc https://docs.google.com/spreadsheets/d/1NYN5n6AaNxz0UxwkzIDuXMYL1JUKNZZlSzLZEDUw4Aw/edit#gid=0
1. if CAS support urn:oasis:names:tc:SAML:2.0:nameid-format:persistent? I would think so, because it is stated clearly on the official CAS doc https://docs.google.com/spreadsheets/d/1NYN5n6AaNxz0UxwkzIDuXMYL1JUKNZZlSzLZEDUw4Aw/edit#gid=0
2. If so, can I just enabled it in metadata like adding another entries?
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
3. Is there any security drawback for not enabling urn:oasis:names:tc:SAML:2.0:nameid-format:persistent by default? Or maybe it is enabled but is not on the metadata?
I will be very grateful for any help given by the communities, thanks!!!
Cheers!
- Andy
Andy Ng
Oct 31, 2018, 4:54:15 AM10/31/18
to CAS Community
Some update, I have look into some other organizations SAML2 metadata (which is also registered to the Identity Federation we want to join),
and basically nobody brother adding the "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" entry despite the requirement.
and basically nobody brother adding the "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" entry despite the requirement.
So in this case, I would also follows them, and don't brother adding the "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" then...
I am still curios for the above question, if anybody have more info I will also want to learn more :D
Cheers!
- Andy
Reply all
Reply to author
Forward
0 new messages