Use Cases

Providing a persistent SAML NameID format in PingFederate

Use a custom SAML NameID format by defining a hidden attribute in the PingFederate attribute contract.

Before you begin

You must have the following product versions:

  • PingFederate 10.3

About this task

Some SAML federation partner software requires a SAML NameID format of urn:oasis:names:tc:SAML:2.0:nameid-format:persistent. Provide this format by using SAML_NAME_FORMAT.

Steps

  1. In PingFederate, go to Applications → SP Connections.

  2. In the SP Connections list, select your connection.

  3. Click the Browser SSO tab, and then click Configure Browser SSO.

  4. Click the Assertion Creation tab, and then click Configure Assertion Creation.

  5. Click the Attribute Contract tab.

  6. Extend the contract using the following table as a guide.

    Attribute Contract Subject Name Format

    SAML_SUBJECT

    urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

    SAML_NAME_FORMAT

    urn:oasis:names:tc:SAML:1.1:attrname-format:unspecified

  7. Click Next.

  8. Click the Authentication Source Mapping tab and then click Map New Adapter Instance.

  9. On the Adapter Instance tab, in the Adapter Instance list, select your adapter. Click Next.

  10. On the Mapping Method tab, leave the default settings and click Next.

  11. On the Attribute Contract Fulfillment tab, fulfill the contract using the following table as a guide.

    Attribute Contract Source Value

    SAML_SUBJECT

    Adapter

    username

    SAML_NAME_FORMAT

    Text

    urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

  12. Click Next until you reach the Summary tab. Click Save.

Result

This produces a SAML_SUBJECT similar to the following example.

<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:persistent">joe</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

The new SAML_NAME_FORMAT value overrides the original SAML NameID.