Making urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified a supportable identifier format
Cantor, Scott
cantor.2 at osu.edu
Thu Jun 11 21:34:21 EDT 2015
On 6/11/15, 9:30 PM, "users on behalf of Alain O'Dea" <users-bounces at shibboleth.net on behalf of alain.odea at gmail.com> wrote:
>
>I changed the SP to request urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress as mentioned in the SAML 2.0 spec line 3285 and I get the following:
>
> WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:337] - Profile Action AddNameIDToSubjects: Request specified use of an unsupportable identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Because your resolver isn't encoding anything to that format.
When the SP indicates it wants a format (other than unspecified) and the IdP doesn't know how to produce it, that's the error you get.
If this is V3, you don't use the resolver to generate a NameID, you use saml-nameid.xml to do that [1]. The underlying data can and usually does come from the resolver, but the NameID part is handled explicitly and separately.
-- Scott
[1] https://wiki.shibboleth.net/confluence/display/IDP30/NameIDGenerationConfiguration
More information about the users
mailing list