Multiple Name ID's in IdP 2.x for Google Apps

Leung, Warren wleung at
Mon Aug 24 17:06:08 EDT 2015


We planning on upgrading to IdP 3.x early next year!  However we are in
the process of upgrading our 2.x instance and have a QA setup with the
latest version with some other internal enchantments. We are trying to
connect our Google Apps test instance with our QA instance, but it seems
like the IdP is releasing transientId (we release transientId for all)
over principal.  Configurations are the same (except for entityID¹s and
ACS URLS).  It is functioning correctly in our older 2.x production
instance as well.  Below are the IdP logs

13:45:33.336 - DEBUG
:717] - [iam-shb-q02-0daa1afd-4aa1-11e5] Selecting the first attribute
that can be encoded in to a name identifier
13:45:33.336 - DEBUG
:501] - [iam-shb-q02-0daa1afd-4aa1-11e5] Name identifier for relying party
'' will be built from attribute 'transientId'
13:45:33.336 - DEBUG
Handler:868] - [iam-shb-q02-0daa1afd-4aa1-11e5] Using attribute
'transientId' supporting NameID format
'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' to create the NameID
for relying party ''

I¹ve read the documentation at
Below is our Google metadata and attribute resolver for principal

<EntityDescriptor entityID=""
		<AssertionConsumerService index="1"
			Location="" />

<resolver:AttributeDefinition id="principal" xsi:type="PrincipalName"
	<resolver:AttributeEncoder xsi:type="SAML2StringNameID"
		nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />

I thought that the filtering would occur with the SP metadata thus using
the urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.  Am I missing
another configuration somewhere?  I can get it to work when I add a
DenyValueRule in the attribute filter for Google Apps.



More information about the users mailing list