sign/encrypt assertions attributes not being honoured

Peter Schober peter.schober at
Fri Aug 3 06:39:00 EDT 2018

* sshabbir <sshabbir at> [2018-08-02 17:17]:
> Update your attribute resolver as below
> <AttributeDefinition  xsi:type="Simple" id="userName"
> sourceAttributeID="userName">
>         <Dependency ref="scriptedAttributeConnector" />     
>        <AttributeEncoder xsi:type="SAML2String"
> name="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" encodeType="false" />
>     </AttributeDefinition>

No, use an encoder that's apppropiate for "userName" in the general
context, i.e., don't special-case what a "userName" is just because
you might /also/ use it as the basis for a NameID sometimes.
(I suggested the formal name of uid/userid from RFC4519, so the name
would be "urn:oid:0.9.2342.19200300.100.1.1" in the encoder, not that
the "unspecified" urn above).

The encoding as a NameID is *not* done in your provided example, here
you merely define an ordinary attribute.  It's the reference to this
attribute from saml-nameid.xml that turns it into a NameID when

> p:encryptNameIDs="false" 

Encryption of NameIDs defaults to false for many, many years now, so
you can remove that, simplifying your override a bit.


More information about the users mailing list