Shibboleth 2.3 with SSO web client - mininum steps

Christopher Bongaarts cab at
Fri Feb 1 14:35:45 EST 2013

On 1/31/2013 2:39 PM, lalithj wrote:
> Looking at our logs (before the encryption) we can see the subject goes as
> follows
> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
> NameQualifier=""
> SPNameQualifier="">_99999fe8638579999999680248</saml2:NameID>
> they want email address/login Id instead,

Define a new attribute in attribute-resolver.xml that uses the email 
address from your data source (LDAP, database, etc.) as the source 
attribute, with a SAML2 NameID string encoder.  Then update your 
attribute-filter.xml file so that you release the new attribute, and 
stop releasing transientID.

The links Peter gave have more detailed instructions.

And as Scott said, you'll probably want to make sure the SP's metadata 
indicates support for the correct nameID format they want.

%%  Christopher A. Bongaarts   %%  cab at          %%
%%  OIT - Identity Management  %%  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

More information about the users mailing list