SAML2 NameID Selection
Each service may specify a required Name ID format. If left undefined, the metadata will be consulted to find the right format. The Name ID value is always the authenticated user that is designed to be returned to this service. In other words, if you decide to configure CAS to return a particular attribute as the authenticated user name for this service, that value will then be used to construct the Name ID along with the right format.
-
The following service definition instructs CAS to use the
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
as the final Name ID format, and use themail
attribute value as the final Name ID value.1 2 3 4 5 6 7 8 9 10 11 12
{ "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId": "the-entity-id-of-the-sp", "name": "SAML Service", "metadataLocation": "/path/to/sp-metadata.xml", "id": 1, "requiredNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "usernameAttributeProvider" : { "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", "usernameAttribute" : "mail", } }
-
The following service definition instructs CAS to use the
urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
as the final Name ID format, and use thesysid
attribute value and the scopeexample.org
. The final Name ID value would then be constructed as<sysid-attribute-value>@example.org
.1 2 3 4 5 6 7 8 9 10 11 12 13
{ "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId": "the-entity-id-of-the-sp", "name": "SAML Service", "metadataLocation": "/path/to/sp-metadata.xml", "id": 1, "requiredNameIdFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "usernameAttributeProvider" : { "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", "usernameAttribute" : "sysid", "scope": "example.org" } }
-
The following service definition instructs CAS to use the
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
as the final Name ID format, and use thecn
attribute value in upper-case as the final Name ID value, skipping the generation of transient value per the required format.1 2 3 4 5 6 7 8 9 10 11 12 13 14
{ "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId": "the-entity-id-of-the-sp", "name": "SAML Service", "metadataLocation": "/path/to/sp-metadata.xml", "id": 1, "requiredNameIdFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", "skipGeneratingTransientNameId" : true, "usernameAttributeProvider" : { "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", "usernameAttribute" : "cn", "canonicalizationMode" : "UPPER" } }
-
The following service definition instructs CAS to use the
cn
attribute value to create a persistent Name ID.1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
{ "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId": "the-entity-id-of-the-sp", "name": "SAML Service", "metadataLocation": "/path/to/sp-metadata.xml", "id": 1, "requiredNameIdFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", "usernameAttributeProvider" : { "@class" : "org.apereo.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider", "persistentIdGenerator" : { "@class" : "org.apereo.cas.authentication.attribute.ShibbolethCompatiblePersistentIdGenerator", "salt" : "aGVsbG93b3JsZA==", "attribute": "cn" } } }