SP-specific failure to generate 'good' SAML assertion

Peter Schober peter.schober at univie.ac.at
Tue Nov 12 15:29:39 EST 2013

* David Bantz <dabantz at alaska.edu> [2013-11-12 21:10]:
> I see the warning that no attribute can be encoded as NameIdentifier
> in “required” format; “good” responses to other SPs have messages
> that no attribute can be encoded as NameIdentifier in “supported”
> format (not labeled warning).
> I suspect this should tell me something useful, but admit I don’t
> understand what it’s telling me.

Have a look at the authentication request, which should also be in the
DEBUG log (or grab a new one frmo the browser, easiest with Firefox's
SAML tracer extension). Seems the SP requests a NameID of format
(which btw does not make too much sense, cf. a very recent thread
about that).

> <saml2p:StatusMessage>Required NameID format not supported</saml2p:StatusMessage>

Did you block release of the default attribute "transientId" in your
filter (or change the resolver wrt that)? Even a newly installed IDP
will be able to supply NameIDs of that format so you must have
changed/disabled that.

More information about the users mailing list