Multiple Name ID's in IdP 2.x for Google Apps

Cantor, Scott cantor.2 at
Mon Aug 24 17:17:04 EDT 2015

On 8/24/15, 5:06 PM, "users on behalf of Leung, Warren" <users-bounces at on behalf of wleung at> wrote:

>I thought that the filtering would occur with the SP metadata thus using
>the urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.  Am I missing
>another configuration somewhere?  I can get it to work when I add a
>DenyValueRule in the attribute filter for Google Apps.

Using "unspecified" is a bad thing, but if you want to do it, use the relying-party's nameIDFormatPrecedence setting to specify it, not the metadata. V3 ignores that value in the metadata so even if it works now, which I was very certain was not the case (but was apparently mistaken), it won't later.

(To understand why it's a bad thing, consider what happens if you have 2 SPs, and both actually require "unspecified", but they actually require different values in the NameID to link on.)

-- Scott

More information about the users mailing list