[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TAS3 Wiki] #162: Does the BPEL engine need to communicate with the IdP?



TAS3 Trac System wrote:
> #162: Does the BPEL engine need to communicate with the IdP?
> Comment(by jens):
>
>  Hi,
>
>  I am playing around with zxidsrvlet and outputting the fields that are
>  stored in the session.
>
>  With two subsequent logins of testuser at idpdemo.tas3.eu, I get:
>
>  idpnid = TXYyc5hqdP4Tc8TzR1X4f9qQe
>
>  idpnid = TTA2X5nt0Bhtb802lBRaKOzta
>
>
>  The description in the docs is: "idpnid   The federated ID, or pseudonym
>  (IdP assigned NameID)."
>
>  Is there any field which does not change for between logins?

You are getting transient NameIDs. If you want persistent NameID
you need to pass in AuthnRequest/NameIDPolicy
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

By default the SP's IdP selection screen is configured with NameIDPolicy
set to (none), which results the IdP picking transient by default. You
need to change that to persistent, or make a hidden field like

<input type=hidden name=fn value=prstnt>

For discovery you control pesistentness with DI_NID_FMT=p configuration
option.

Cheers,
--Sampo

> --
> Ticket URL: <https://portal.tas3.eu/trac/ticket/162#comment:6>
> TAS3 Wiki <https://portal.tas3.eu/trac/>
> Central documentation and ticket hub for the TAS3 project.