test

Sun OpenSSO Enterprise 8.0 Administration Guide

Formatting Name Identifiers

Name identifiers are used by the identity provider and the service provider to communicate with each other regarding a principal. As of this release, OpenSSO Enterprise supports the following name identifier formats.

OpenSSO Enterprise defines these name identifiers in the identity provider's standard metadata. If no specific name identifier format is requested by the service provider, a default format must be used in the authentication response. To enable one or more of the supported formats you must add a name identifier format/user attribute map to the identity provider extended metadata to generate the name identifier based on the specified user profile attribute. The value is formatted as name ID format=user profile attribute as in the following XML sample 

<Attribute name="nameIDFormatMap">
  <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:
   emailAddress=mail</Value>
  <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:
   X509SubjectName=</Value>
  <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:
   WindowsDomainQualifiedName=</Value>
  <Value>urn:oasis:names:tc:SAML:2.0:nameid-format:
   kerberos=</Value>
</Attribute>

If a user profile attribute is specified, the name ID value will be the value of the user profile attribute. If no user profile attribute is specified an exception will be thrown. If the name ID format is persistent or transient, a random string will be generated. For more information on persistent and transient identifiers, see Configuring SAMLv2 Single Sign-on without Service Provider User Accounts.

Note –

To disable one or more name ID formats, the format XML tags can be removed from the identity provider's standard metadata.