IDP 3 Multiple NameID Formats for Transient

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

IDP 3 Multiple NameID Formats for Transient

ChrisP
Hello,

I need to use a custom NameID format for one client that is using my IDP.

I can edit saml-nameid.xml to use an attribute in NameID and this works fine however it affects everyone that is using format urn:oasis:names:tc:SAML:2.0:nameid-format:transient.

I know it is possible to have 2 NameID Generators associated with the format but it seems to just pick the first one as registered in saml-nameid.xml

How do I go about choosing between them based on which SP is calling my IDP.

Note I am using IDP version 3
Reply | Threaded
Open this post in threaded view
|

Re: IDP 3 Multiple NameID Formats for Transient

zhangwei
I think you should add attribute filter in conf/attribute-filter.xml for your sp, like below

 
<afp:AttributeFilterPolicy id="example2">
        <afp:PolicyRequirementRule xsi:type="basic:OR">
            <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://sp.example.org" />
            <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://another.example.org/shibboleth" />
        </afp:PolicyRequirementRule>

        <afp:AttributeRule attributeID="yourNameID">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
    </afp:AttributeFilterPolicy>