No problem. If you look at `SamlProfileSamlAssertionBuilder`, you'll find how to resolve the entity ID, in case the SP overrides for IDP metadata. For delegation, the entity id is always that of CAS resolved the same way, since CAS is the primary IDP to the SP anyway. The fact that an external IDP was used to authenticate is not relevant in that context.
On Tue, Sep 14, 2021 at 5:18 PM Robert <[email protected]> wrote: > > Thanks for your fast answer. I will have a look, on how to fix it for > persistent NameIdFormat. > > My question was: What would be the correct unique identifier (entityId) in > case of delegated authentication? > > > Misagh Moayyed schrieb am Dienstag, 14. September 2021 um 15:08:41 UTC+2: >> >> > In all of my testcases the NameQualifier was set to the issuer of the >> > AuthnRequest, which is the SP. >> > Thats why the Shibboleth SP ignores the subject ID. >> >> Judging by the spec, at least for "persistent" identifiers, >> >> > In the case of an identifier with a Format of >> > urn:oasis:names:tc:SAML:2.0:nameidformat:persistent, the NameQualifier >> > attribute MUST contain the unique identifier of the identity provider that >> > created the identifier. >> >> So yes, this seems wrong. >> >> > My quickfix would be the use the entityId of the IdP, but that will not >> > handle relying IdPs. >> >> Don't follow the last bit. What do you mean "relying IdPs"? >> >> You'll need to account for entity ID overrides as well on per a SP >> basis; may or may not be that quick. >> >> > Is it a bug? Should I open a PR? >> >> Sure. -- You received this message because you are subscribed to the Google Groups "CAS Developer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/CAGSBKkdd7qzvbCQx2DToPT8sgTFEt1XHPoOKsMej8sYE39T77Q%40mail.gmail.com.
