I'm not sure if this is connected, but our IdP (since we setup our live
2.1.5 version, now on 2.3.8) to release eduPersonTargetedID.old and
eduPersonTargetedID to ALL UK Federation SPs - I forget which one
required the .old version.
Some places don't even use the ScopedAffiliation and the consistent ID
above is enough.
Dave
David Perry
eLearning Technologist, eLearning Team (L34 - Library)
Hull College Group
Wilberforce Drive, Queen's Gardens, Hull
HU1 3DG
Extension 2230 / Direct Dial 01482 381930
* * * Think about the environment - Do you really need to print this
email?>>> Alistair Young <[log in to unmask]> 05/12/2012 15:07
>>>
> One is to persuade the SP deployer to either reconfigure their SP
That's what they're doing Ian. If it's a no-goer then I'll update our
IdP
to also release the modern version.
Thanks very much for you help, much appreciated. It seems to have
pinpointed the issue.
Cheers,
Alistair
-------------------
Alistair Young
Àrd Innleadair air Bathair-bog
UHI@Sabhal Mòr Ostaig
On 05/12/2012 15:04, "Ian Young" <[log in to unmask]> wrote:
>
>On 5 Dec 2012, at 13:13, Alistair Young <[log in to unmask]>
wrote:
>
>> Presume this one Ian?
>>
>> 2.3.2.1.1 Recommended Name and Syntax
>
>Yes, which although it talks about a SAML 2 element you'll note is
part
>of the SAML *1* profile. The corresponding part of the SAML 2 profile
is
>in 3.3.1.1.
>
>> 'New applications are encouraged to use this newer syntax, when
>>possible'.
>
>The UK federation's recommendations in this area are very dated, for
>reasons it's probably not worth getting into right now. Elsewhere,
>though, the "legacy name and syntax" has been strongly deprecated for
>some years now, and actual deployments tend to have gone down that
route
>because that's the way things like Shibboleth work by default now.
>
>Of course, the legacy name and syntax aren't used in the SAML 2
profile
>at all, so the non-legacy SAML 1 encoding is also attractive because
it's
>the same as for SAML 2.
>
>> What I can't work out is why they expect a NameID when there is no
SAML2
>> format attribute.
>
>Because they want a persistent identifier...
>
>> That's in Subject/NameIdentifier in SAML1.
>
>... and normally an IdP will pass a transient there. Plus, the
Subject
>is not normally made visible to the application by the SP.
>
>There are two ways to go here, assuming we've understood what the
problem
>is and without getting into more deep technical water.
>
>One is to persuade the SP deployer to either reconfigure their SP
>deployment or recode their application so that the thing you're
sending
>is accepted as an alternative to the more modern form. The other is
for
>you to ship them the more modern form as well as the older one.
>
> -- Ian
>
>
>
**********************************************************************
This message is sent in confidence for the addressee
only. It may contain confidential or sensitive
information. The contents are not to be disclosed
to anyone other than the addressee. Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission. Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College. Nothing in this
message should be construed as creating a contract.
Hull College owns the email infrastructure, including the contents.
Hull College is committed to sustainability, please reflect before printing this email.
**********************************************************************
|