If you want to use OpenAM as an IdP to federate with the Mozy enterprise application commercial offer, you’ll have to configure your IdP so that it sets the NameID assertion field value to the email address of your users.

Since OpenAM will usually requires write access to your user repository by default, to store NameID’s you may toggle to the transient NameID format to prevent this behaviour.
In such a case, just add a mapping like this one in the NameID value map, so that OpenAM will use the « mail » attribute of your LDAP repository when using the transient NameID format:

urn:oasis:names:tc:SAML:2.0:nameid-format:transient=mail

Also, don’t forget to set the core authentication module user profile mode to « Required ». Otherwise, OpenAM will never add any attribute in the SAML assertions it will produce.

Les derniers articles par janua (tout voir)