NameId question

Brewer, Edward L lee.brewer at Vanderbilt.Edu
Tue Feb 26 13:32:52 EST 2013

To all,

I am attempting to create a new NameId to integrate with a vendor.  I am currently using Shibboleth 2.3.6 IdP running under JBOSS 5 on Linux.  The vendor wants for me to pass to them a NameId of username at vu  where vu  represents Vanderbilt University.  I asked to make it username at<mailto:username at> but they want to shorten it to make it easier on mobile users.. since they have to type in the entire name for PIN administration.  I followed the instructions in the wiki and created a new attribute

<resolver:AttributeDefinition id="concurid" xsi:type="Scoped" xmlns="urn:mace:shibboleth:2.0:resolver:ad" scope="vu" sourceAttributeID="uid" xmlns:xsi="" xmlns:resolver="urn:mace:shibboleth:2.0:resolver"><resolver:Dependency ref="myLDAP" /><resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /><resolver:AttributeEncoder xsi:type="SAML2ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:" friendlyName="username" scopeType="inline" /></resolver:AttributeDefinition>

And I set it to release the attribute to the vendor in the attribute filter.  Now in this present state I see this in the logs

BTW  ( I also have another nameId present called transientId that is transient format)

12:19:01.215 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:573] - Removing attribute concurid, it can not be encoded in to a name identifier of an acceptable format

So the assertion is created with the TransientId instead.  Now if I change the nameid-format to transient for concurid then the IdP chooses concurid but it has uses only username and no @vu.

Any help would be appreciated,
Lee Brewer
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list