[Shib-Users] Supporting both persistent-id and targeted-id on the sp

36 views
Skip to first unread message

Pali Singh

unread,
Mar 29, 2010, 10:45:30 AM3/29/10
to shibbole...@internet2.edu
Hi

I want my SP to support both persistent-id and targeted-id.

I've enabled the second NameIDFromScopedAttributeDecoder and disabled
the first one. See below configuration.

I would expect to see the format of persistent-id as follows:

HTTP_PERSISTENTID = $NameQualifier!$SPNameQualifier!$Name

However for an IDP releasing both the persistent-id and targeted-id I
see this:

HTTP_PERSISTENTID =
$NameQualifier!$SPNameQualifier!$Name$NameQualifier!$SPNameQualifier!$Na
me

Is this the right way to go about it? If not, please help.

Thanks

Pali


<!-- First, the deprecated version, decoded as a scoped string: -->
<!--<Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID"
id="targeted-id">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
<AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder"
formatter="$NameQualifier!$SPNameQualifier!$Name"
defaultQualifiers="true"/>
</Attribute>-->


<!-- Second, an alternate decoder that will turn the deprecated form
into the newer form. -->

<Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID"
id="persistent-id">
<AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder"
formatter="$NameQualifier!$SPNameQualifier!$Name"
defaultQualifiers="true"/>
</Attribute>


<!-- Third, the new version (note the OID-style name): -->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder"
formatter="$NameQualifier!$SPNameQualifier!$Name"
defaultQualifiers="true"/>
</Attribute>

<!-- Fourth, the SAML 2.0 NameID Format: -->
<Attribute
name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder"
formatter="$NameQualifier!$SPNameQualifier!$Name"
defaultQualifiers="true"/>
</Attribute>

____________________________________________________________________


Strategic Forums for Senior Leaders - book your place now!
FREE iPod Touch for establishments attending.

www.rm.com/strategicforums

____________________________________________________________________

P.S. Think Green - don't print this email unless you really need to.
This message is confidential, so please treat it appropriately and for its intended purpose only. In particular, if it refers to any technical data, terms or prices not generally available or known, such items are "commercially sensitive information" within the terms of the Freedom of Information Act 2000 and related laws. As it would be prejudicial to RM's commercial interests if these were disclosed, please refrain from doing so.

As Internet communications are not secure, please be aware that RM cannot accept responsibility for its contents. Any views or opinions presented are those of the author only and not of RM. If you are not the intended recipient of this e-mail, please accept our apologies and arrange for copies of it to be deleted. For your information, RM may intercept incoming and outgoing email communications.

RM Education plc
Registered Office: New Mill House, 183 Milton Park, Abingdon, Oxfordshire, OX14 4SE, England
Registered Number: 1148594

Scott Cantor

unread,
Mar 29, 2010, 11:15:51 AM3/29/10
to shibbole...@internet2.edu
> However for an IDP releasing both the persistent-id and targeted-id I
> see this:
>
> HTTP_PERSISTENTID =
> $NameQualifier!$SPNameQualifier!$Name$NameQualifier!$SPNameQualifier!$Na
> me

Are you sure there's not a semicolon in there somewhere?

You can't prevent multiple values from showing up if you're mapping multiple
attributes to the same id and the IdP sends both. Either split them properly
or map them to separate ids.

It's theoretically possible to write a filtering rule that would reject one
of the attributes if the other was present and had a value, but that's
advanced, undocumented, untested, and not worth the time.

-- Scott


Reply all
Reply to author
Forward
0 new messages