Is it possible to have SAML2 Identity Server send an assertion with NAMEID Format as transient with a value of the users email address, or any attribute value?

  • 7017497
  • 13-Apr-2016
  • 13-Apr-2016

Environment

NetIQ Access Manager 4.2
NetIQ Access Manager 4.1
NetIQ Access Manager 4.0
NetIQ Access Manager Identity Server acting as SAML2 Identity Provider

Situation

Customer is trying to create a federation and these are the requirement of the SP:

1.       The NameIDFormat MUST be transient
2.       The value sent in NameID MUST be the users email address.

 The Access Manager documentation clearly state the Name Identifier Format Transient and Persistent need to be auto-generated:

Specify the value for the name identifier.
The persistent and transient formats are generated automatically. For the others, you can select
an attribute. The available attributes depend upon the attributes that you have selected to send
with authentication (see “Configuring the Attributes Obtained at Authentication” on page 375). If
you do not select a value for the E-mail, Kerberos, X509, or Unspecified format, a unique value
is automatically generated.

Is it possible to generate an Authentication Response from the NAM IDP server with a transient name identifier format, and a value that is static in nature eg. an ldap attribute?

Resolution

Per the SAML core specs, the transient Name Identifier format must be treated as a temporary value, and should never be assigned a static value such as an LDAP attribute.

8.3.8 Transient Identifier

URI: urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Indicates that the content of the element is an identifier with transient semantics and SHOULD be treated
as an opaque and temporary value by the relying party. Transient identifier values MUST be generated in
accordance with the rules for SAML identifiers (see Section 1.3.4), and MUST NOT exceed a length of
256 characters.

 If we add an LDAP attribute value such as an email address, this is not really an opaque or temporary value as it will be the same for every session

The Name Identifier Profile and Management specification also adds the following

3.6 Transient Identifiers

SAML 2.0 shall provide a facility enabling a principal’s identity to be reflected to relying parties
anonymously (in effect), using non-persistent identifiers. Identifiers of this type may be obtained upon
relying party request; additionally, principals may designate that they are to be so represented to relying
parties within the scope of a session. This facility shall be applicable independent of whether or not the
principal has a federation relationship between the SAML authentication authority and any of the relying
parties receiving assertions within the session. Desirably, it should be possible for a principal to requestand/or configure use of this facility at the granularity of individual relying parties.

Again, adding an LDAP attribute such as the users email address is not anonymous, and defies the purpose of using a transient ID.