CODEWITHSUNDEEP
spring-securitysaml
mkaayn
mkaayn

Reputation: 57

SAML Configuration

I have integrated SAML 2.0 in my system and I have several questions about SAML configurations file.

In my Service Provider file I have

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>.

In the customer's IDP file we don't have any NameIDFormat definition. What is de default NameIDFormat if the client didn't defined it?

In my spring saml configuration file 

<bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">
        <property name="contextProvider" ref="${saml.security.context.provider}" />
        <property name="defaultProfileOptions">
            <bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
                <property name="includeScoping" value="false" />
                <property name="nameID" value="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
                <property name="allowCreate" value="true" />
            </bean>
        </property>
    </bean>

But the client told us that the policy 'persitent' is not supported for him. If I modify the defaultProfileOptions and I delete the nameID property, the default value for the client would be urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified (I remember that in SP file the NameIDFormat is urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified and in IDP file we don't have the NameIDFormat definition)?

Upvotes: 0

Views: 735

Answers (1)

Bernhard Thalmayr
Bernhard Thalmayr

Reputation: 2744

From SAML specification point of view NameID format

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

should be used if no NameID format is specified. However you don't need to send anyone, the SAML IdP sould then choose one of your SP's supported NameID formats (provided in the SAML SP meta data).

From SAML spec point of view NameID format

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

is intended to be used for the use case of 'account-linking' (linkage of 2 identities in 2 different identity silos, one on IdP side, on on SP side)

As your use-case seems to be SSO only, the intended NameID format would

urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Upvotes: 1

Related Questions