"email" NameIDFormat in saml20-sp-remote
963 views
Skip to first unread message
Daisuke Miyakawa
Nov 29, 2012, 8:28:29 PM11/29/12
to simple...@googlegroups.com
Hi,
--
Daisuke Miyakawa (宮川大輔)
d.miy...@gmail.com
The NameIDFormat this SP should receive. There are three values for NameIDFormat which is supported by simpleSAMLphp:
- urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
- urn:oasis:names:tc:SAML:2.0:nameid-format:email
I couldn't find the third one in the original spec [SAMLCore] (errata composite v6).
Could someone point out where it is as a SAML specification?
Also, I'd like to know if it is ok to use urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress instead, which is in the spec.
Thanks,
Daisuke Miyakawa (宮川大輔)
d.miy...@gmail.com
Peter Schober
Nov 30, 2012, 3:47:14 AM11/30/12
to simple...@googlegroups.com
* Daisuke Miyakawa <d.miy...@gmail.com> [2012-11-30 08:07]:
"Help Passing Authenticated Information to Google"
-peter
> Also, I'd like to know if it is ok to use
> urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress instead, which is in
> the spec.
See my email to this list from 2 days ago, in the thread with the subject
> urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress instead, which is in
> the spec.
"Help Passing Authenticated Information to Google"
-peter
Peter Schober
Nov 30, 2012, 3:56:58 AM11/30/12
to simple...@googlegroups.com
* Daisuke Miyakawa <d.miy...@gmail.com> [2012-11-30 08:07]:
> http://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote says:
>
> The NameIDFormat this SP should receive. There are three values for
> NameIDFormat which is supported by simpleSAMLphp:
>
> - urn:oasis:names:tc:SAML:2.0:nameid-format:transient
>
> The NameIDFormat this SP should receive. There are three values for
> NameIDFormat which is supported by simpleSAMLphp:
>
> - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
> - urn:oasis:names:tc:SAML:2.0:nameid-format:email
>
>
> I couldn't find the third one in the original spec [SAMLCore] (errata
> composite v6).
In addition to that document I see that being used in
>
> I couldn't find the third one in the original spec [SAMLCore] (errata
> composite v6).
./metadata-templates/saml20-sp-remote.ph and in the SSP google docs
documentation ./docs/simplesamlphp-googleapps.txt
So I'd say it's more of a documentation error.
> Also, I'd like to know if it is ok to use
> urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress instead,
> which is in the spec.
-peter
Daisuke Miyakawa
Nov 30, 2012, 5:41:13 PM11/30/12
to simple...@googlegroups.com
Thank you for the replies :-)
I'm new to this area (.. and not a native English speaker),
so let me clarify something.
I understand this is the right uri:
- urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
..while technically SimpleSAML can handle these:
- urn:oasis:names:tc:SAML:1.1:nameid-format:email
- urn:oasis:names:tc:SAML:2.0:nameid-format:email
- urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress
In the email thread "Help Passing Authenticated Information to Google",
"urn:oasis:names:tc:SAML:1.1:nameid-format:email" is mentioned while
[SAMLCore] just has "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress".
I'm not sure if the shorter one is valid in a strict manner (from the spec perspective).
I may be a bit too picky..
2012/11/30 Peter Schober <peter....@univie.ac.at>
-peter
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
Peter Schober
Nov 30, 2012, 8:06:40 PM11/30/12
to simple...@googlegroups.com
* Daisuke Miyakawa <d.miy...@gmail.com> [2012-11-30 23:41]:
consulted yourself), then it is. You don't need other people to tell
you what's in the spec or or.
> ..while technically SimpleSAML can handle these:
> - urn:oasis:names:tc:SAML:1.1:nameid-format:email
> - urn:oasis:names:tc:SAML:2.0:nameid-format:email
> - urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress
As I already said this might just be an error in the documentation and
metadata-template file. Some developer would need to confirm what, if
anything, SSP would do with invalid NameID formats.
> In the email thread "Help Passing Authenticated Information to Google",
> "urn:oasis:names:tc:SAML:1.1:nameid-format:email" is mentioned while
> [SAMLCore] just has
> "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress".
> I'm not sure if the shorter one is valid in a strict manner (from the spec
> perspective).
If software behaves differently at all based on looking at this, it
will be a simple string comparison, so yes, a single byte or char
might make all the difference.
Needless to say, whatever is in the spec is "correct", as there is no
other measure for correctness. And my reference to that thread was
made only regarding the use of a SAML1.1-defined nameid format within
SAML2 protocol messages.
So I don't really understand your questions. You've found the spec and
the nameid formats it defines. You've seen mails that state that there
should be no reason you couldn't use a SAML1.1-defined nameid format
within SAML2.0 (as it makes no sense to redefine all existing nameid
formats only because a new version might be available).
So you know what you should be doing, I'd say.
-peter
> I understand this is the right uri:
> - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
If that is what the SAML specs say (which you clearly have found and
> - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
consulted yourself), then it is. You don't need other people to tell
you what's in the spec or or.
> ..while technically SimpleSAML can handle these:
> - urn:oasis:names:tc:SAML:1.1:nameid-format:email
> - urn:oasis:names:tc:SAML:2.0:nameid-format:email
> - urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress
metadata-template file. Some developer would need to confirm what, if
anything, SSP would do with invalid NameID formats.
> In the email thread "Help Passing Authenticated Information to Google",
> "urn:oasis:names:tc:SAML:1.1:nameid-format:email" is mentioned while
> [SAMLCore] just has
> "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress".
> I'm not sure if the shorter one is valid in a strict manner (from the spec
> perspective).
will be a simple string comparison, so yes, a single byte or char
might make all the difference.
Needless to say, whatever is in the spec is "correct", as there is no
other measure for correctness. And my reference to that thread was
made only regarding the use of a SAML1.1-defined nameid format within
SAML2 protocol messages.
So I don't really understand your questions. You've found the spec and
the nameid formats it defines. You've seen mails that state that there
should be no reason you couldn't use a SAML1.1-defined nameid format
within SAML2.0 (as it makes no sense to redefine all existing nameid
formats only because a new version might be available).
So you know what you should be doing, I'd say.
-peter
Olav Morken
Dec 3, 2012, 7:45:06 AM12/3/12
to simple...@googlegroups.com
On Sat, Dec 01, 2012 at 02:06:40 +0100, Peter Schober wrote:
> * Daisuke Miyakawa <d.miy...@gmail.com> [2012-11-30 23:41]:
> * Daisuke Miyakawa <d.miy...@gmail.com> [2012-11-30 23:41]:
> > ..while technically SimpleSAML can handle these:
> > - urn:oasis:names:tc:SAML:1.1:nameid-format:email
> > - urn:oasis:names:tc:SAML:2.0:nameid-format:email
> > - urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress
>
> As I already said this might just be an error in the documentation and
> metadata-template file. Some developer would need to confirm what, if
> anything, SSP would do with invalid NameID formats.
Yes, this is a documentation-error. I have updated the documentation to
> > - urn:oasis:names:tc:SAML:1.1:nameid-format:email
> > - urn:oasis:names:tc:SAML:2.0:nameid-format:email
> > - urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress
>
> As I already said this might just be an error in the documentation and
> metadata-template file. Some developer would need to confirm what, if
> anything, SSP would do with invalid NameID formats.
read:
The NameIDFormat this SP should receive. The three most commonly
used values are:
1. urn:oasis:names:tc:SAML:2.0:nameid-format:transient
2. urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
3. urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
The transient format will generate a new unique ID every time the
SP logs in.
To properly support the persistent and emailAddress formats, you
should configure NameID generation filters[1] on your IdP.
[1] http://simplesamlphp.org/docs/stable/saml:nameid
Best regards,
Olav Morken
UNINETT / Feide
Peter Schober
Dec 3, 2012, 7:51:42 AM12/3/12
to simple...@googlegroups.com
* Olav Morken <olav....@uninett.no> [2012-12-03 13:45]:
-peter
> Yes, this is a documentation-error. I have updated the documentation to
> read:
Takk!
> read:
-peter
Daisuke Miyakawa
Dec 3, 2012, 9:21:20 PM12/3/12
to simple...@googlegroups.com
Great! Thank you Olav and Peter!
2012/12/3 Peter Schober <peter....@univie.ac.at>
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
Reply all
Reply to author
Forward
0 new messages