Skip to content

Commit 9304c52

Browse files
c00kiemon5terc00kiemon5ter
authored
Merge pull request #416 from bajnokk/nameid-example
doc: fix name_id_format vs name_id_policy_format ambiguity
2 parents b0085b6 + 7d1f76d commit 9304c52

2 files changed

Lines changed: 19 additions & 7 deletions

File tree

doc/README.md

Lines changed: 13 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -339,15 +339,25 @@ found [here](../example/plugins/backends/saml2_backend.yaml.example).
339339
340340
#### Name ID Format
341341
342-
The SAML backend can indicate which *Name ID* format it wants by specifying the key
343-
`name_id_format` in the SP entity configuration in the backend plugin configuration:
342+
The SAML backend has two ways to indicate which *Name ID* format it wants:
343+
* `name_id_format`: is a list of strings to set the `<NameIDFormat>` element in
344+
SP metadata
345+
* `name_id_policy_format`: is a string to set the `Format` attribute in the
346+
`<NameIDPolicy>` element in the authentication request.
347+
348+
The default is to not set any of the above. Note that if the IdP can not
349+
provide the NameID in a format, which is requested in the `<NameIDPolicy>`, it
350+
must return an error.
344351
345352
```yaml
346353
config:
347354
sp_config:
348355
service:
349356
sp:
350-
name_id_format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
357+
name_id_format:
358+
- urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
359+
- urn:oasis:names:tc:SAML:2.0:nameid-format:transient
360+
name_id_policy_format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
351361
```
352362
353363
#### Use a discovery service

example/plugins/backends/saml2_backend.yaml.example

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -64,8 +64,10 @@ config:
6464
- [<base_url>/<name>/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
6565
discovery_response:
6666
- [<base_url>/<name>/disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']
67-
name_id_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
68-
# A name_id_format of 'None' will cause the authentication request to not
69-
# include a Format attribute in the NameIDPolicy.
70-
# name_id_format: 'None'
67+
68+
# name_id_format: a list of strings to set the <NameIDFormat> element in SP metadata
69+
# name_id_policy_format: a string to set the Format attribute in the NameIDPolicy element
70+
# of the authentication request
71+
# name_id_format_allow_create: sets the AllowCreate attribute in the NameIDPolicy element
72+
# of the authentication request
7173
name_id_format_allow_create: true

0 commit comments

Comments
 (0)