"non-NameID-valued attribute" for hashed NameID

Peter Schober peter.schober at univie.ac.at
Fri Nov 18 11:19:22 GMT 2011

On a newly installed SP on RHEL6 (64-bit, from the OBS repo ) I'm
trying to activate hashing of NameIDs in the attribute map, like I did
on other SPs. This time I see warnings in shibd.log and the value is
removed as a consequence:

2011-11-18 11:58:09 WARN Shibboleth.AttributeFilter [2]: NameIDQualifierString MatchFunctor applied to non-NameID-valued attribute (persistent-id)
2011-11-18 11:58:09 WARN Shibboleth.AttributeFilter [2]: removed value at position (0) of attribute (persistent-id) from (https://idp.example.edu/shibboleth)
2011-11-18 11:58:09 WARN Shibboleth.AttributeFilter [2]: no values left, removing attribute (persistent-id) from (https://idp.example.edu/shibboleth)

The strange thing is that with the same version of the SP (RPM
shibboleth-2.4.3-2.2) on another system (RHEL5 32-bit) the same thing
works just fine -- from the same IdP with the same principal.
The attribute filter on the IdP should treat both SPs the same, so the
same type of NameID should be released.

The config change in the attribute-map.xml in both cases simply is
adding hashAlg="md5" (or sha1) to the AttributeDecoder for the

When I do not add hashAlg to the AttributeDecoder everything comes
though fine and looks like your ordinary NameID, decoded into 

On the wire (i.e., from shibd.log on DEBUG) it looks OK too: 

<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"

Any ideas?

More information about the users mailing list