Social-to-SAML Gateway Attributes
The following attributes contribute to a minimal gateway attribute bundle:
ePPNto the user’s email address
ePPNat your own risk
- Set the
- Set the person name as appropriate
- Optionally set the
NameIDto one of the following:
- the user’s email address
ePTID(i.e., a SAML2 Persistent
- SAML2 Transient
The most difficult mapping is
ePTID. The goal is to assert a value of
ePTID that persists with or without the gateway in the middle.
ePTID is a triple: (IdP
entityID, persistent opaque blob)
All three components must persist regardless of whether or not the gateway is functioning as an intermediary. For the Google OpenID Gateway, we can do this as follows.
Let’s assume that the
entityID of the Google IdP is:
and the entityID of the end SP is:
(The latter is in fact the
entityID of the Federation Manager.) Then the
ePTID computed and asserted by the gateway is given by the triple:
This remains true even if the Google OpenID Gateway goes away.