> One is to persuade the SP deployer to either reconfigure their SP
That's what they're doing Ian. If it's a no-goer then I'll update our IdP
to also release the modern version.
Thanks very much for you help, much appreciated. It seems to have
pinpointed the issue.
Cheers,
Alistair
-------------------
Alistair Young
Àrd Innleadair air Bathair-bog
UHI@Sabhal Mòr Ostaig
On 05/12/2012 15:04, "Ian Young" <[log in to unmask]> wrote:
>
>On 5 Dec 2012, at 13:13, Alistair Young <[log in to unmask]> wrote:
>
>> Presume this one Ian?
>>
>> 2.3.2.1.1 Recommended Name and Syntax
>
>Yes, which although it talks about a SAML 2 element you'll note is part
>of the SAML *1* profile. The corresponding part of the SAML 2 profile is
>in 3.3.1.1.
>
>> 'New applications are encouraged to use this newer syntax, when
>>possible'.
>
>The UK federation's recommendations in this area are very dated, for
>reasons it's probably not worth getting into right now. Elsewhere,
>though, the "legacy name and syntax" has been strongly deprecated for
>some years now, and actual deployments tend to have gone down that route
>because that's the way things like Shibboleth work by default now.
>
>Of course, the legacy name and syntax aren't used in the SAML 2 profile
>at all, so the non-legacy SAML 1 encoding is also attractive because it's
>the same as for SAML 2.
>
>> What I can't work out is why they expect a NameID when there is no SAML2
>> format attribute.
>
>Because they want a persistent identifier...
>
>> That's in Subject/NameIdentifier in SAML1.
>
>... and normally an IdP will pass a transient there. Plus, the Subject
>is not normally made visible to the application by the SP.
>
>There are two ways to go here, assuming we've understood what the problem
>is and without getting into more deep technical water.
>
>One is to persuade the SP deployer to either reconfigure their SP
>deployment or recode their application so that the thing you're sending
>is accepted as an alternative to the more modern form. The other is for
>you to ship them the more modern form as well as the older one.
>
> -- Ian
>
>
>
|