Encoded principle attribute

Cantor, Scott cantor.2 at osu.edu
Mon May 2 13:39:27 EDT 2016

> 09:18:18.656 - WARN
> [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:491] - No attribute of principal 'rdeWOox+N8Gc626Gq/ZXarrUzjM=' can be encoded in to a NameIdentifier of required format
> 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent' for relying party 'urn:federation:MicrosoftOnline'

Well, I don't know what to tell you, but you have something doing authentication that's supplying it with a username that's incomprehensible. I certainly don't think that's typical, but I guess that's really up to you, authentication is a local matter. I don't know what you're doing to handle that and you didn't say.

Whether that's usable in our LDAP lookup is also a local matter.

The log just means what it says, you don't have an attribute resolved that has a NameID encoder attached of that Format. I would imagine the LDAP lookup returns nothing and so there are no attributes resolved.

> with a response of
> <saml2p:Status>
>       <saml2p:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
>          <saml2p:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>

That means an SP explicitly demanded a particular Format and it couldn't satisfy the request.

-- Scott

More information about the users mailing list