Non-transient NameID format
By default, AM as an IdP uses the NameID format
urn:oasis:names:tc:SAML:2.0:nameid-format:transient.
Learn more in the AM documentation on
Hosted identity provider configuration properties.
When the IdP uses another NameID format, configure PingGateway to use
that NameID format by editing the Fedlet configuration file
sp-extended.xml:
-
To use the NameID value provided by the IdP, add the following attribute:
<Attribute name="useNameIDAsSPUserID"> <Value>true</Value> </Attribute> -
To use an attribute from the assertion, add the following attribute:
<Attribute name="autofedEnabled"> <Value>true</Value> </Attribute> <Attribute name="autofedAttribute"> <Value>sn</Value> </Attribute>This example uses the value in
SNto identify the subject.
Although PingGateway supports the persistent NameID format,
PingGateway doesn’t store the mapping. To configure this behavior, edit
the file sp-extended.xml:
-
To disable attempts to persist the user mapping, add the following attribute:
<Attribute name="spDoNotWriteFederationInfo"> <Value>true</Value> </Attribute> -
To enable attempts to persist the user mapping, add the following attribute:
<Attribute name="spDoNotWriteFederationInfo"> <Value>false</Value> </Attribute>
If a sign on request doesn’t contain a NameID format query parameter, the
value is defined by the presence and content of the NameID format list for
the SP and IdP. For example, an SP-initiated login can be constructed with
the binding and NameIDFormat as a parameter, as follows:
http://fedlet.example.org:7070/fedlet/SPInitiatedSSO?binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&NameIDFormat=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecifiedWhen the NameID format is provided in a list, it is resolved as follows:
-
If both the IdP and SP have a list, the first matching NameID format in the lists.
-
If either the IdP or SP list is empty, the first NameID format in the other list.
-
If neither the IdP nor SP has a list, AM defaults to
transientand PingGateway defaults topersistent.