How to ask for Shib IdP returning a urn:mace:shibboleth:1.0:nameIdentifier

Yaowen Tu yaowen.tu at
Wed Aug 1 21:10:02 EDT 2012

Thanks a lot for your answer.

One use case I want to confirm is that, if I send this SAML2.0 AuthnRequest:

<saml2p:AuthnRequest AssertionConsumerServiceURL="..." Destination="
https://localhost/idp/profile/SAML2/Redirect/SSO" ID="
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="
2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
  <saml2p:NameIDPolicy AllowCreate="true" Format="

First of all, is this a valid AuthnRequest? Because I am using SAML2, but
in NameIDPolicy, I specified urn:mace:shibboleth:1.0:nameIdentifier..

In order to comply with the SAML2.0 standards, what should be replied from
IdP? OOTB Shib IdP will return a NameID with format of


On Wed, Aug 1, 2012 at 5:51 PM, Nate Klingenstein <ndk at> wrote:

> Yaowen,
> What I want to know is, if SP specify transient, it is very clear that the
> value will be a temporary number. but if SP specify "
> urn:mace:shibboleth:1.0:nameIdentifier" as the format, SP still doesn't
> know what will be the value inside the NameID. SP only knows that this
> value can represent this user. It can be email address, give name, or what
> ever. This is defined by IdP. Is that correct? Is there a place that
> defined what can be put inside the "nameIdentifier" so IdP and SP will
> follow this rule?
> urn:mace:shibboleth:1.0:nameIdentifier has reasonably precisely defined
> semantics.  See section 3.3 of the old Shibboleth specification:
> It's effectively a legacy transientId for use with the Shibboleth edition
> of SAML 1.1.
> Also it says "urn.....shibboleth:1.0:nameIdentifier", does it mean it
> only works for SAML1.0? If I send a SAML2.0 AuthnRequest, will IdP return
> this?
> The IdP could hypothetically be configured to send this NameID using the
> SAML 2.0 protocol, but I think that would be a very unwise choice.
> There's a reason that identifiers are well-typed: so that the SP knows
> what, if anything, to do with them once they're received.  I'd strongly
> suggest choosing the right identifier type for the identifier you'd like to
> send.
> If you have a use case that you'd like to discuss, please let us know.
> Take care,
> Nate.
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list