Shibboleth Developers

[Alistair Young <>]

maybe I'm reading it wrong, or I've got the wrong version of the spec:

3.3 NameIdentifier Profile
SAML identifies principals in assertions using the <saml:NameIdentifier> element, which contains a
pair of descriptive XML attributes, Format and NameQualifier.
Shibboleth permits any legal SAML name identifier to be used, and also defines a special kind of identifier
with the Format value of urn:mace:shibboleth:1.0:nameIdentifier. Identifiers of this format
MUST adhere to the following criteria:
<x-tad-smaller>• </x-tad-smaller>The identifier has transient semantics and SHOULD be treated as an opaque and temporary
value by the relying party.

Alistair


On 1 Nov 2004, at 14:36, Scott Cantor wrote:

> > SAML1 has a nameID but shibb defines it's own namespace for this which 
> > says it should be opaque and transient.
>
> It says no such thing. It defines a means of doing this when you need to
> because assuming privacy is a concern is a better default than not assuming
> it.
>
> > I haven't spotted this use case in SAML2 (maybe I'm missing something)
>
> Yep.
>
> Check section 8.3.7 of core. That is effectively the definition of eptid
> that I want to move to.
>
> -- Scott