Hi all, *Server Info:* CAS 5.2.x
*Background:* Recently our CAS is going to join up with an identity federation as an SAML idp, and I am in charge of *checking the compliance* in order for us to join. Most of the items can be check off quickly and I understand the requirements, however I have the difficult finding support for the following requirement: *Requirement > Identity Providers SHOULD support the urn:oasis:names:tc:SAML:2.0:nameid-format:persistent name identifier format* Our CAS server metadata is using the one generated by CAS, so it is basically the same as https://apereo.github.io/cas/5.2.x/installation/Configuring-SAML2-Authentication.html#idp-metadata And from what I understand, the only supported Name ID is as follows: * <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>* * <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>* And *urn:oasis:names:tc:SAML:2.0:nameid-format:persistent *is not enabled by default. *Question:* I would like to know the following: 1. if CAS support *urn:oasis:names:tc:SAML:2.0:nameid-format:persistent*? I would think so, because it is stated clearly on the official CAS doc https://docs.google.com/spreadsheets/d/1NYN5n6AaNxz0UxwkzIDuXMYL1JUKNZZlSzLZEDUw4Aw/edit#gid=0 2. If so, can I just enabled it in metadata like adding another entries? <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat> 3. Is there any security drawback for not enabling *urn:oasis:names:tc:SAML:2.0:nameid-format:persistent *by default? Or maybe it is enabled but is not on the metadata? I will be very grateful for any help given by the communities, thanks!!! Cheers! - Andy -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1129da0b-5cee-46d5-b532-0ae4958a4c30%40apereo.org.
