On 5 Dec 2012, at 13:13, Alistair Young <[log in to unmask]> wrote:
> Presume this one Ian?
>
> 2.3.2.1.1 Recommended Name and Syntax
Yes, which although it talks about a SAML 2 element you'll note is part of the SAML *1* profile. The corresponding part of the SAML 2 profile is in 3.3.1.1.
> 'New applications are encouraged to use this newer syntax, when possible'.
The UK federation's recommendations in this area are very dated, for reasons it's probably not worth getting into right now. Elsewhere, though, the "legacy name and syntax" has been strongly deprecated for some years now, and actual deployments tend to have gone down that route because that's the way things like Shibboleth work by default now.
Of course, the legacy name and syntax aren't used in the SAML 2 profile at all, so the non-legacy SAML 1 encoding is also attractive because it's the same as for SAML 2.
> What I can't work out is why they expect a NameID when there is no SAML2
> format attribute.
Because they want a persistent identifier...
> That's in Subject/NameIdentifier in SAML1.
... and normally an IdP will pass a transient there. Plus, the Subject is not normally made visible to the application by the SP.
There are two ways to go here, assuming we've understood what the problem is and without getting into more deep technical water.
One is to persuade the SP deployer to either reconfigure their SP deployment or recode their application so that the thing you're sending is accepted as an alternative to the more modern form. The other is for you to ship them the more modern form as well as the older one.
-- Ian
|