I'm trying to get my head around using persistent ID as a NameID instead of the eduPersonTargetedID attribute (OID 22.214.171.124.4.1.59126.96.36.199.10).
I've started editing saml-nameid.properties and saml-nameid.xml - uncommenting the bean ref ````<ref bean="shibboleth.SAML2PersistentGenerator" />```` and setting
and also setting
idp.nameid.saml2.default = urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
I used ```uid``` as the source attribute. I already did have uid imported as an IdP attribute from LDAP (````<resolver:AttributeDefinition id="uid" xsi:type="ad:Simple" sourceAttributeID="uid">````), but PersistentSAML2NameIDGenerator was failing with:
It started working after I explictly released the attribute in attribute-filter.xml
I can see in PersistentSAML2NameIDGenerator.getIdentifier() that the attribute is being looked up in the AttributeContext retrieved from the ProfileContext.
I would understand why the attribute is not found if the attribute filter removes it, but to me as a deployer, this seems to be a bug.
I should be able to define PersistentNameID based on a source attribute without having to release the source attribute.
I can still imagine a workaround like defining the attribute without any encoder, but that makes it a hack...
Did I get right what's happening?
And is there a reasonable fix for it?
Thanks a lot in advance for getting back to me!