[Satosa-dev] controlling NameID format and value sent to SP

Hi, I have been asked off-list the same question by a couple of different people. The question is "how can I get SATOSA to send a specific NameID value and format to the requesting SP?" They usually ask after trying, in vain, to configure the SAML2 frontend and/or the SAML metadata for the SP to specify a particular NameID format (e.g. urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress). My reading of lines 339 to 353 in .../frontends/saml2.py is that there is no way to force, either through configuration of the frontend or in SAML metadata what format is used for NameID, nor what value is used. Rather what happens is that the frontend takes whatever values are set for internal_response.subject_id internal_response.subject_type and creates a NameID element object and passed it to pysaml2 to create the actual response. The only exception to that rule is if internal_response.subject_id is None, then pysaml2 is passed None, and it has code that then defaults to creating a transient NameID (which I argue is the most sensible thing it can do). So to my reading, the only and correct way to affect what the SATOSA SAML frontend sends for the NameID is to have a response microservice that sets internal_response.subject_id internal_response.subject_type before the frontend begins processing the response. The only alternative is to just accept what is passed through from the backend. Is my analysis correct?

Thanks, Scott K P.S. I have been using a microservice(s) to set internal_response.subject_id internal_response.subject_type for quite some time and it works just fine. _______________________________________________ Satosa-dev mailing list Satosa-dev at lists.sunet.se https://lists.sunet.se/listinfo/satosa-dev