Unspecified NameId format and IdP 3.2

Thu Dec 3 14:08:36 EST 2015

  I can't get the NameID to be generated in the response of the IdP when working with Google apps as SP.  Google apps sets the NameIdPolicy with a format of urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified in the authentication request.  It's metadata also has the same NameIDFormat.

Doesn't Shib IdP 3.2 support the urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified name id format anymore?  I see the following statement in the logs:

"Ignoring NameIDFormat metadata that includes the 'unspecified' format".

When I don't specify any nameIDFormatPrecedence in the relying party xml for the google apps sp, it defaults to the transient NameID generator, the output of which is not a valid id for Google Apps.


CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient and may contain originating company confidential or proprietary information.  Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, immediately contact the sender by reply e-mail or notify the postmaster at fisc.com<applewebdata://C7998FB1-8D0A-4CA3-B689-30E2F4A29B9A/postmaster@fisc.com> and destroy all copies.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20151203/828e0c24/attachment.html>

More information about the users mailing list