IBM Tivoli Federated Identity Manager, Version 6.2.2

Handling an unspecified name identifier

Learn how an unspecified name identifier is processed in a SAML 2.0 federation.

When a SAML 2.0 identity provider receives a single sign-on request, it typically contains a name identifier policy with a Format attribute specified by the service provider. The service provider indicates the name identifier format it wants to receive in the subject of an assertion from the identity provider. If the service provider sets the attribute to the value urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified, it is up to the identity provider to determine which name identifier format to use. The DefaultNameIDFormat configuration parameter of a federation or partner is used for this purpose.

The DefaultNameIDFormat parameter determines processing rules for the name identifier format when one of these conditions exists:

if there is no explicit Format attribute included in the request
if the Format attribute is set to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

The value of the default name identifier format of the identity provider, if present, is obtained from the DefaultNameIDFormat parameter belonging to its corresponding partner configuration properties. Otherwise, it proceeds to retrieve the same parameter from the federation configuration properties. I

f the DefaultNameIDFormat parameter is not set at either partner or federation properties, it is obtained from the configuration parameter com.tivoli.am.fim.sts.saml.2.0.assertion.default.nameidformat that you set in the Default NameID Format for Assertion validation field, if present. If not, then the value defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.

Note: You can specify the parameter com.tivoli.am.fim.sts.saml.2.0.assertion.default.nameidformat in the Default NameID Format for Assertion validation field of the Trust Service Chain Mapping Wizard.

The parameter treats the NameID included in the assertion as a string literal and no alias service lookup is used.

The DefaultNameIDFormat parameter can be configured to use one of the following permitted values:

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

The most common value is: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Each name identifier format works differently in processing single sign-on requests. For example, the persistent name identifier causes the server to use the alias service to look up or create an alias for the user of the federation and partner. The email address name identifier, however, causes the name identifier element to be populated with the user name of the currently authenticated user.

To use a different name identifier format other than the default value, configure the DefaultNameIDFormat parameter with a response file in the command-line interface. You can configure the parameter from the federation or partner level:

Note: The DefaultNameIDFormat parameter from the partner configuration takes precedence over the property from the federation configuration.

Feedback