Persistent Assertion/Subject/NameID from LDAP Attribute

Tom Scavo trscavo at
Thu Aug 9 08:49:07 EDT 2012

On Thu, Aug 9, 2012 at 3:34 AM, Henry B. Hotz <hotz at> wrote:
> On the bottom, I've got an attribute (LDAP "mail") which is getting put in the IDP response just fine.  I'm having trouble connecting the dots up to get it used as a persistent NameID for the Assertion. (Preferably only for one SP.)


> While the IdPPersistentNameIdentifier page doesn't say so, I assume I should put the "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" as a supported <NameIDFormat> in both the SP and IDP metadata.

That is definitely optional.

> What is it that tells the IDP to use a specific attribute as the NameID for the assertion?  Is it putting an extra <resolver:AttributeEncoder> into the <resolver:AttributeDefinition>?

In the case of the SAML V2.0 Persistent NameID, you don't. That NameID
has a very specific format (you can read about it in the SAML spec)
but it looks nothing like an e-mail address. If you want to have the
latter as a NameID, use:


which is (obviously) pre-V2.0 but the format of choice for e-mail addresses.


More information about the users mailing list