SP-specific failure to generate 'good' SAML assertion
Peter Schober
peter.schober at univie.ac.at
Tue Nov 12 15:29:39 EST 2013
* David Bantz <dabantz at alaska.edu> [2013-11-12 21:10]:
> I see the warning that no attribute can be encoded as NameIdentifier
> in “required” format; “good” responses to other SPs have messages
> that no attribute can be encoded as NameIdentifier in “supported”
> format (not labeled warning).
> I suspect this should tell me something useful, but admit I don’t
> understand what it’s telling me.
Have a look at the authentication request, which should also be in the
DEBUG log (or grab a new one frmo the browser, easiest with Firefox's
SAML tracer extension). Seems the SP requests a NameID of format
"urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
(which btw does not make too much sense, cf. a very recent thread
about that).
> <saml2p:StatusMessage>Required NameID format not supported</saml2p:StatusMessage>
Did you block release of the default attribute "transientId" in your
filter (or change the resolver wrt that)? Even a newly installed IDP
will be able to supply NameIDs of that format so you must have
changed/disabled that.
-peter
More information about the users
mailing list