Just to follow this up, I did confirm from the code that it is not "smart" enough right now to default in the name qualifier attributes if they don't match exactly what the IdP issued. If you want that feature, you'll have to file a bug on it so I remember to go back in and look at it. -- Scott