Invalid SPNameQualifier for this request

James Bardin jbardin at
Mon Sep 12 22:22:01 BST 2011

On Fri, Sep 9, 2011 at 9:54 PM, James Bardin <jbardin at> wrote:
> On Fri, Sep 9, 2011 at 4:48 PM, Cantor, Scott <cantor.2 at> wrote:
>>>I don't know why they send it, but it's incorrect to specify an
>>>SPNameQualifier with the same ID as the requester. I've asked them to
>>>remove it too, with no response.
>> If it's actually the same, and it's not working, that would be a bug in
>> the IdP. Seems like I saw that and fixed it a while back, it rings a bell
>> anyway.
> Ah yes, it was a bug fix for 2.3. I don't think I've tested their SP
> against the newer IdP, but I may be able to confirm next week on a new
> instance.

Turns out there's two different bugs, causing this result.
The shib IdP bug mentioned above, which is fixed, and one service-now bug.

They're generating the SPNameQualifier from their ACS, which may match
in some configurations, so not everyone has this issue. I'll let them
know what the problem is, but Scott's advice of adding a SAML
AffiliationDescriptor in the metadata that matches the SPNameQualifier
would also work.

James Bardin <jbardin at>
Systems Engineer
Boston University IS&T

More information about the users mailing list