NameID generation filters
This document describes the NameID generation filters in the saml module.
1 Common options
NameQualifier- The NameQualifier attribute for the generated NameID.
This can be a string that is used as the value directly.
It can also be
TRUE, in which case we use the IdP entity ID as the NameQualifier. If it isFALSE, no NameQualifier will be included. -
The default is
FALSE, which means that we will not include a NameQualifier by default. SPNameQualifier- The SPNameQualifier attribute for the generated NameID.
This can be a string that is used as the value directly.
It can also be
TRUE, in which case we use the SP entity ID as the SPNameQualifier. If it isFALSE, no SPNameQualifier will be included. -
The default is
TRUE, which means that we will use the SP entity ID.
2 saml:AttributeNameID
Uses the value of an attribute to generate a NameID.
2.1 Options
attribute- The name of the attribute we should use as the unique user ID.
Format- The
Formatattribute of the generated NameID.
3 saml:PersistentNameID
Generates a persistent NameID with the format urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
The filter will take the user ID from the attribute described in the attribute option, and hash it with the secretsalt from config.php, and the SP and IdP entity ID.
The resulting hash is sent as the persistent NameID.
3.1 Options
attribute- The name of the attribute we should use as the unique user ID.
4 saml:TransientNameID
Generates a transient NameID with the format urn:oasis:names:tc:SAML:2.0:nameid-format:transient.
No extra options are available for this filter.
5 Example
This example makes three NameIDs available:
'authproc' => array(
1 => array(
'class' => 'saml:TransientNameID',
),
2 => array(
'class' => 'saml:PersistentNameID',
'attribute' => 'eduPersonPrincipalName',
),
3 => array(
'class' => 'saml:AttributeNameID',
'attribute' => 'mail',
'Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
),
),