Providing a persistent SAML NameID format in PingFederate
Use a custom SAML NameID format by defining a hidden attribute in the PingFederate attribute contract.
Before you begin
You must have the following product versions:
-
PingFederate 10.3
About this task
Some SAML federation partner software requires a SAML NameID format of urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
. Provide this format by using SAML_NAME_FORMAT
.
Steps
-
In PingFederate, go to Applications → SP Connections.
-
In the SP Connections list, select your connection.
-
Click the Browser SSO tab, and then click Configure Browser SSO.
-
Click the Assertion Creation tab, and then click Configure Assertion Creation.
-
Click the Attribute Contract tab.
-
Extend the contract using the following table as a guide.
Attribute Contract Subject Name Format SAML_SUBJECT
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
SAML_NAME_FORMAT
urn:oasis:names:tc:SAML:1.1:attrname-format:unspecified
-
Click Next.
-
Click the Authentication Source Mapping tab and then click Map New Adapter Instance.
-
On the Adapter Instance tab, in the Adapter Instance list, select your adapter. Click Next.
-
On the Mapping Method tab, leave the default settings and click Next.
-
On the Attribute Contract Fulfillment tab, fulfill the contract using the following table as a guide.
Attribute Contract Source Value SAML_SUBJECT
Adapter
username
SAML_NAME_FORMAT
Text
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
-
Click Next until you reach the Summary tab. Click Save.
Result
This produces a SAML_SUBJECT
similar to the following example.
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:persistent">joe</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
The new SAML_NAME_FORMAT
value overrides the original SAML NameID.