francescm
commented
3 years ago yes it's a leftover!
But it can't be https://{sp_fqdn}/shibboleth because we are in the NameQalifier != entityID case.
What about mydomain.edu?
Closed francescm closed 3 years ago
francescm
commented
3 years ago yes it's a leftover!
But it can't be https://{sp_fqdn}/shibboleth because we are in the NameQalifier != entityID case.
What about mydomain.edu?
robertogallea
commented
3 years ago Ok, it is clearer to me now.
You are allowed to set NameQualifier attribute to something different from entityID. The following example AuthnRequest:
<samlp:AuthnRequest xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol” AssertionConsumerServiceIndex=“0" AttributeConsumingServiceIndex=“0” Destination=“https://id.lepida.it/idp/profile/SAML2/Redirect/SSO” ForceAuthn=“true” ID=“_9ea1f546c32b763de33a64362dd25dd0" IssueInstant=“2021-06-11T08:58:51Z” Version=“2.0" xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion” ><saml:Issuer Format=“urn:oasis:names:tc:SAML:2.0:nameid-format:entity” NameQualifier=“unimore.it” >https://spid.unimore.it/sp </saml:Issuer><samlp:NameIDPolicy Format=“urn:oasis:names:tc:SAML:2.0:nameid-format:transient” /><samlp:RequestedAuthnContext Comparison=“exact”><saml:AuthnContextClassRef>https://www.spid.gov.it/SpidL2</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>is valid and works, ifaudienceinsecurity-policy.xmlis updated accordingly.