Thanks for your fast answer. I will have a look, on how to fix it for persistent NameIdFormat.
My question was: What would be the correct unique identifier (entityId) in case of delegated authentication? Misagh Moayyed schrieb am Dienstag, 14. September 2021 um 15:08:41 UTC+2: > > In all of my testcases the NameQualifier was set to the issuer of the > AuthnRequest, which is the SP. > > Thats why the Shibboleth SP ignores the subject ID. > > Judging by the spec, at least for "persistent" identifiers, > > > In the case of an identifier with a Format of > urn:oasis:names:tc:SAML:2.0:nameidformat:persistent, the NameQualifier > attribute MUST contain the unique identifier of the identity provider that > created the identifier. > > So yes, this seems wrong. > > > My quickfix would be the use the entityId of the IdP, but that will not > handle relying IdPs. > > Don't follow the last bit. What do you mean "relying IdPs"? > > You'll need to account for entity ID overrides as well on per a SP > basis; may or may not be that quick. > > > Is it a bug? Should I open a PR? > > Sure. > -- You received this message because you are subscribed to the Google Groups "CAS Developer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/14269019-65ab-4236-8159-66da505a3409n%40apereo.org.
