I would like to propose some changes to the SAML implementation.
In short, there are three things I would like to add:
- Allow encrypted assertions in responses
- Allow NameID override
- Allow the use of a static AssertionConsumerServiceURL
We use Shibboleth with encrypted assertions.
2. Allow NameID override
At the moment, SAML is using my pairwiseID as the username, which is fine for new systems or if you have always used this ID.
However, systems that want to switch their authentication backend to SAML may use a different identifier.
In our case, the username is the EPPN.
I would prefer to override this via a setting instead of altering the entire user database.
3. Static AssertionConsumerServiceURL
In Shibboleth, I have to register an AssertionConsumerServiceURL. This URL cannot change, so the dynamic approach with a count parameter is not feasible.
There is a RelayState parameter available for dynamic parameters.
I have code for every change I am proposing here. Just let me know what you think.