> In all of my testcases the NameQualifier was set to the issuer of the > AuthnRequest, which is the SP. > Thats why the Shibboleth SP ignores the subject ID.
Judging by the spec, at least for "persistent" identifiers, > In the case of an identifier with a Format of > urn:oasis:names:tc:SAML:2.0:nameidformat:persistent, the NameQualifier > attribute MUST contain the unique identifier of the identity provider that > created the identifier. So yes, this seems wrong. > My quickfix would be the use the entityId of the IdP, but that will not > handle relying IdPs. Don't follow the last bit. What do you mean "relying IdPs"? You'll need to account for entity ID overrides as well on per a SP basis; may or may not be that quick. > Is it a bug? Should I open a PR? Sure. -- You received this message because you are subscribed to the Google Groups "CAS Developer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/CAGSBKkfnZ9Rb2d-XAh9P0759auOZwNWWKS4vXd%2BoUsXRLtbQ_w%40mail.gmail.com.
