where is transientId in SAML assertion

Brent Putman putmanb at georgetown.edu
Wed Sep 24 20:20:35 EDT 2014

On 9/24/14 7:22 PM, Kevin Foote wrote:
> On Sep 24, 2014, at 2:53 PM, David Bantz <dabantz at alaska.edu> wrote:
>> A different vendor is unable to properly interpret the SAML assertion from my IdP,
>> and I haven’t been able to fathom why not, but notice that despite parallel
>> debug log entries that transientId will be used to construct NameID, a corresponding
>> NameID is not in the Subject.  Instead there’s an EncryptedID.
> David, 
> Check your relying-party.xml for the ProfileConfiguration of the profile you are using, presumably SAML2SSOProfile 
> Is this set?  encryptNameIds=“conditional” 
> And what is their end asking for? 

Right, David's encryptNameIds param must be set to "conditional" or
"always".  If the RP doesn't support encrypted NameID's (few probably
do), then you want to set that to "never".  For the record, the
out-of-the-box default for all profiles is encryptNameIds="never".

And, based on your log info, you are actually sending a transient ID,
it's just encrypted.   Those are orthogonal concepts.

More information about the users mailing list