How to ask for Shib IdP returning a urn:mace:shibboleth:1.0:nameIdentifier

Yaowen Tu yaowen.tu at
Thu Aug 2 14:10:03 EDT 2012

Thanks Scott. Does it mean that it is a bug if it returns a transient
NameID instead of nameIdentifier or an error?

For more information please see the log:

11:22:01.373 - DEBUG [edu.internet2.middleware.
shibboleth.idp.profile.AbstractSAMLProfileHandler:465] - Attempting to
select name identifier attribute for relying party '...' that requires
format 'urn:mace:shibboleth:1.0:nameIdentifier'
11:22:01.374 - DEBUG
- Filtering out potential name identifier attributes which do not support
one of the following formats: [urn:mace:shibboleth:1.0:nameIdentifier]
11:22:01.374 - DEBUG
- Retaining attribute transientId which may be encoded as a name identifier
of format urn:mace:shibboleth:1.0:nameIdentifier
11:22:01.374 - DEBUG
- Selecting attribute to be encoded as a name identifier by encoder of type
11:22:01.374 - DEBUG
- Selecting the first attribute that can be encoded in to a name identifier
11:22:01.374 - DEBUG
- Name identifier for relying party '...' will be built from attribute
11:22:01.374 - DEBUG
- Using attribute 'transientId' supporting NameID format
'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' to create the NameID
for relying party '...'


On Thu, Aug 2, 2012 at 7:09 AM, Cantor, Scott <cantor.2 at> wrote:

> On 8/1/12 9:10 PM, "Yaowen Tu" <yaowen.tu at> wrote:
> >
> >In order to comply with the SAML2.0 standards, what should be replied
> >from IdP? OOTB Shib IdP will return a NameID with format of
> >urn:oasis:names:tc:SAML:2.0:nameid-format:transient.
> OOTB it should either return what you ask for, or an error, or there's a
> bug.
> -- Scott
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list