controlling NameID format and value sent to SP
by skoranda@sphericalcowgroup.com
Hi,
I have been asked off-list the same question by a couple of different
people. The question is "how can I get SATOSA to send a specific NameID
value and format to the requesting SP?"
They usually ask after trying, in vain, to configure the SAML2 frontend
and/or the SAML metadata for the SP to specify a particular NameID
format (e.g. urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress).
My reading of lines 339 to 353 in .../frontends/saml2.py is that there
is no way to force, either through configuration of the frontend or in
SAML metadata what format is used for NameID, nor what value is used.
Rather what happens is that the frontend takes whatever values are set
for
internal_response.subject_id
internal_response.subject_type
and creates a NameID element object and passed it to pysaml2 to create
the actual response. The only exception to that rule is if
internal_response.subject_id
is None, then pysaml2 is passed None, and it has code that then defaults
to creating a transient NameID (which I argue is the most sensible thing
it can do).
So to my reading, the only and correct way to affect what the SATOSA
SAML frontend sends for the NameID is to have a response microservice
that sets
internal_response.subject_id
internal_response.subject_type
before the frontend begins processing the response. The only alternative
is to just accept what is passed through from the backend.
Is my analysis correct?
Thanks,
Scott K
P.S. I have been using a microservice(s) to set
internal_response.subject_id
internal_response.subject_type
for quite some time and it works just fine.
3 years, 9 months
- 2
- 4