SAML2 NameID Selection
Each service may specify a required Name ID format. If left undefined, the metadata will be consulted to find the right format. The Name ID value is always the authenticated user that is designed to be returned to this service. In other words, if you decide to configure CAS to return a particular attribute as the authenticated user name for this service, that value will then be used to construct the Name ID along with the right format.
Examples
The following service definition instructs CAS to use the urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
as the final Name ID format, and use the mail
attribute value as the final Name ID value.
1
2
3
4
5
6
7
8
9
10
11
12
{
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId": "the-entity-id-of-the-sp",
"name": "SAML Service",
"metadataLocation": "/path/to/sp-metadata.xml",
"id": 1,
"requiredNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"usernameAttributeProvider" : {
"@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "mail",
}
}
The following service definition instructs CAS to use the urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
as the final Name ID format, and use the sysid
attribute value and the scope example.org
. The final Name ID value would then
be constructed as <sysid-attribute-value>@example.org
.
1
2
3
4
5
6
7
8
9
10
11
12
13
{
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId": "the-entity-id-of-the-sp",
"name": "SAML Service",
"metadataLocation": "/path/to/sp-metadata.xml",
"id": 1,
"requiredNameIdFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
"usernameAttributeProvider" : {
"@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "sysid",
"scope": "example.org"
}
}
The following service definition instructs CAS to use the urn:oasis:names:tc:SAML:2.0:nameid-format:transient
as the final Name ID format,
and use the cn
attribute value in upper-case as the final Name ID value, skipping the generation of transient value per the required format.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
{
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId": "the-entity-id-of-the-sp",
"name": "SAML Service",
"metadataLocation": "/path/to/sp-metadata.xml",
"id": 1,
"requiredNameIdFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
"skipGeneratingTransientNameId" : true,
"usernameAttributeProvider" : {
"@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "cn",
"canonicalizationMode" : "UPPER"
}
}
The following service definition instructs CAS to use the cn
attribute value to create a persistent Name ID.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
{
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId": "the-entity-id-of-the-sp",
"name": "SAML Service",
"metadataLocation": "/path/to/sp-metadata.xml",
"id": 1,
"requiredNameIdFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
"usernameAttributeProvider" : {
"@class" : "org.apereo.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider",
"persistentIdGenerator" : {
"@class" : "org.apereo.cas.authentication.principal.ShibbolethCompatiblePersistentIdGenerator",
"salt" : "aGVsbG93b3JsZA==",
"attribute": "cn"
}
}
}