You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

For testing with SimpleSAMLPHP, see https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted for reference on how to configure SSP

Transient identifier scenarios

In a transient identifier scenario, the RP requests a transient identifier using the transient scope, and should receive a unique sub per transaction, regardless of which attributes we received from the SAML IdP as an identifier (even if this is a persistent Identifier)

The following scenarios need to be tested:

SAML NameID, eduPersonAffiliation and SchacHomeOrganization

ConfigurationParameters (for SSP)Expected Result

Transient SAML NameID, eduPersonAffiliation and SchacHomeOrganization

IdP: release

  • transient SAML nameID
  • edupersonaffiliation
  • schachomeorganization

RP request:

  • transient scope
  • student scope
NameIDFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oid:1.3.6.1.4.1.25178.1.2.9 = example.org
urn:oid:1.3.6.1.4.1.5923.1.1.1.1 = student

Student validation PASS
Affiliate validation PASS
Employee validation FAIL

RP recieves a new, unique sub for each transaction.




Transient SAML NameID, eduPersonScopedAffiliation

IdP: release

  • transient SAML nameID

  • eduPersonScopedAffiliation

RP request:

  • transient scope
  • student scope
NameIDFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oid:1.3.6.1.4.1.5923.1.1.1.9 = student@example.org

Student validation PASS
Affiliate validation PASS
Employee validation FAIL


RP recieves a new, unique sub for each transaction.



Transient SAML NameID, eduPersonPrincipleName, eduPersonScopedAffiliation

IdP: release

  • transient SAML nameID
  • edupersonPrincipleName

  • eduPersonScopedAffiliation

RP request:

  • transient scope
  • student scope

NameIDFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:transient

urn:oid:1.3.6.1.4.1.5923.1.1.1.6 = username@example.org

urn:oid:1.3.6.1.4.1.5923.1.1.1.9 = student@example.org

Student validation PASS
Affiliate validation PASS
Employee validation FAIL


RP recieves a new, unique sub for each transaction.



Transient SAML NameID, eduPersonUniqueID, eduPersonScopedAffiliation

IdP: release

  • transient SAML nameID
  • edupersonUniqueID

  • eduPersonScopedAffiliation

RP request:

  • transient scope
  • student scope

NameIDFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:transient

urn:oid:1.3.6.1.4.1.5923.1.1.1.13 = 3290vdsjk2njks9@example.org

urn:oid:1.3.6.1.4.1.5923.1.1.1.9 = student@example.org

Student validation PASS
Affiliate validation PASS
Employee validation FAIL


RP recieves a new, unique sub for each transaction.



Transient SAML NameID, eduPersonTargetedD, eduPersonScopedAffiliation

IdP: release

  • transient SAML nameID
  • edupersonUniqueID

  • eduPersonScopedAffiliation

RP request:

  • transient scope
  • student scope

NameIDFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:transient

urn:oid:1.3.6.1.4.1.5923.1.1.1.13 = 3290vdsjk2njks9@example.org

urn:oid:1.3.6.1.4.1.5923.1.1.1.9 = student@example.org











Persistent identifier scenario




Right so with the instance test the following, have a look at this:



1 Transient NameID on IDP

1.1 edupersonaffiliation and schachomeorganization

IdP config:
Force SSP to release a transient nameID using the NameID param ( it is the default, but just to be sure)

Set theattributes as following:
schacHomeOrganization (urn:oid:1.3.6.1.4.1.25178.1.2.9) = example.org
edupersonaffiliation (urn:oid:1.3.6.1.4.1.5923.1.1.1.1) = student





- Test with NameIDFormat transient and the following attributes:


https://simplesamlphp.org/docs/1.5/simplesamlphp-authproc#section_2_5

  • No labels