PingGateway 2024.11

Non-transient NameID format

By default, AM as an IdP uses the NameID format urn:oasis:names:tc:SAML:2.0:nameid-format:transient. Learn more in the AM documentation on Hosted identity provider configuration properties.

When the IdP uses another NameID format, configure PingGateway to use that NameID format by editing the Fedlet configuration file sp-extended.xml:

  • To use the NameID value provided by the IdP, add the following attribute:

    <Attribute name="useNameIDAsSPUserID">
      <Value>true</Value>
    </Attribute>
  • To use an attribute from the assertion, add the following attribute:

    <Attribute name="autofedEnabled">
      <Value>true</Value>
    </Attribute>
    <Attribute name="autofedAttribute">
      <Value>sn</Value>
    </Attribute>

    This example uses the value in SN to identify the subject.

Although PingGateway supports the persistent NameID format, PingGateway doesn’t store the mapping. To configure this behavior, edit the file sp-extended.xml:

  • To disable attempts to persist the user mapping, add the following attribute:

    <Attribute name="spDoNotWriteFederationInfo">
      <Value>true</Value>
    </Attribute>
  • To enable attempts to persist the user mapping, add the following attribute:

    <Attribute name="spDoNotWriteFederationInfo">
      <Value>false</Value>
    </Attribute>

If a sign on request doesn’t contain a NameID format query parameter, the value is defined by the presence and content of the NameID format list for the SP and IdP. For example, an SP-initiated login can be constructed with the binding and NameIDFormat as a parameter, as follows:

http://fedlet.example.org:7070/fedlet/SPInitiatedSSO?binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&NameIDFormat=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

When the NameID format is provided in a list, it is resolved as follows:

  • If both the IdP and SP have a list, the first matching NameID format in the lists.

  • If either the IdP or SP list is empty, the first NameID format in the other list.

  • If neither the IdP nor SP has a list, AM defaults to transient and PingGateway defaults to persistent.

Copyright © 2010-2024 ForgeRock, all rights reserved.