* Jon Agland <[log in to unmask]> [2019-09-04 14:10]:
> I didn't have any success here with the FederatedID field accepting
> other values; the SAML 2 Persistent Name Identifier sent as a SAML
> attribute eduPersonTargetedID doesn't make it past the Okta IdP/SP
> proxy.
[...]
> and I'm not the person with the admin console access.
OK, thanks. I have no access (and no formal role) here either but that
sounded like a much saner option.
> I'm assuming you are suggesting use of attributes such as
> eduPersonPrincipalName (preferable) or uid, sAMAccountName, or as a
> source?
Or the pairwise-id / subject-id attribute, yes. Basically whatever is
more stable than email (we change email addresses on request,
e.g. when a person changed her name, as I expect to be a very common
thing to do) but still sufficiently easily available for provisioning
into their system (which persistent NameIDs / ePTIDs are probably not,
as to your first paragraph quoted above).
The "transparent/opaque" property of the chosen attribute's values
probably doesn't matter much if you're passing along the subject's
full name anyway, unless you send other (e.g. generic) data there, I
guess.
> I'll add about the urn:oid for mail support to the guide
Thx, I could have done it myself but didn't want to claim any
first-hand knowledge (or own empirical tests) here.
> Ah, so just uncomment this section in saml-nameid.xml?
Yes.
> That would simply the config for that particular IdP a lot... All
> learning here, and I/we inherited the IdP config :|
There might be cases where you'd need to resort to activation
conditions there but you should strive to avoid getting into
situations where that's necessary. ;)
(Something like two different SPs requiring the same NameID format but
also requiring different data/attributes as values. You may still be
able to work around even that by providing a /list/ of attribute names
for 'attributeSourceIds' and only releasing the desired attributes to
each SP in the filter but I haven't played with that.)
Cheers,
-peter
########################################################################
To unsubscribe from the JISC-SHIBBOLETH list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=JISC-SHIBBOLETH&A=1
|