Making urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified a supportable identifier format

Alain O'Dea alain.odea at gmail.com
Thu Jun 11 21:09:07 EDT 2015


I get the following error unless I hack the format to
urn:oasis:names:tc:SAML:2.0:nameid-format:transient in saml-java on my SP:

[org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:337] - Profile
Action AddNameIDToSubjects: Request specified use of an unsupportable
identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified

If I hack the format I get NameID values I can't use.  I need the email
address on the SP.  I don't want to do anything that will compromise my
SP's support for other IdPs.

I have the following in conf/attribute-resolver-ldap.xml:

    <resolver:AttributeDefinition id="mailAsNameId" xsi:type="ad:Simple"
sourceAttributeID="mail">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="SAML2StringNameID"
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
    </resolver:AttributeDefinition>

I have the following in metadata/saml-java.xml (my SP metadata):

<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified</NameIDFormat>

I have the following in conf/attribute-filter.xml:

    <!-- Release uid to saml-java -->
    <afp:AttributeFilterPolicy>
        <afp:PolicyRequirementRule
xsi:type="basic:AttributeRequesterString" value="
http://localhost:8080/consume.jsp" />
        <afp:AttributeRule attributeID="mailAsNameId">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
    </afp:AttributeFilterPolicy>

I am missing something.  How do I
make urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified a supportable
identifier format?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150611/ac8a0adb/attachment-0001.html>


More information about the users mailing list