Learning - sending transient nameId

Norman Bodnar bodnarn at gmail.com
Thu Aug 16 16:16:34 EDT 2018

As usual, apologies ahead of time. I really am reading the docs and putting
in effort, however, understanding this particular realm still comes to me
very slowly...

I inherited a few Shibboleth IdPs. In this case, I'm configuring IdP3, the
defaults may have been tweaked so examples don't always play the same for

I want to send and see a transient nameId value (which I called
"principal3") in my SAML response. I have to code this in as the default
behaviors on this IdP have been tweaked long ago.

I have tried the following config. I do see the creation of the transient
nameid but ultimately it isn't hitting the SAML response. The SP is my own
for testing so I can tweak that as needed.


    <AttributeDefinition id="principal3" xsi:type="TransientId">
                 <AttributeEncoder xsi:type="SAML1StringNameIdentifier"
nameFormat="urn:mace:shibboleth:1.0:nameIdentifier" />
                 <AttributeEncoder xsi:type="SAML2StringNameID"
name="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />


    <AttributeFilterPolicy id="ReleaseToFooblitzky">
        <PolicyRequirementRule xsi:type="Requester" value="
https://fooblitzky.com/shibboleth" />

        <AttributeRule attributeID="principal3">
            <PermitValueRule xsi:type="ANY" />

        <AttributeRule attributeID="gid">
            <PermitValueRule xsi:type="ANY" />

        <AttributeRule attributeID="uid">
            <PermitValueRule xsi:type="ANY" />


2018-08-16 14:52:56,514 - DEBUG
- Attribute Definition 'principal3': creating new transient ID
2018-08-16 14:52:56,514 - DEBUG
[net.shibboleth.idp.attribute.resolver.AbstractAttributeDefinition:247] -
Attribute Definition 'principal3': produced an attribute with the following
values [StringAttributeValue{value=_c26acf29c3e543ed425b398f235ddcc3}]
2018-08-16 14:52:56,697 - DEBUG
[net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:473] -
Attribute Resolver 'ShibbolethAttributeResolver': De-duping attribute
definition principal3 result
2018-08-16 14:52:56,698 - DEBUG
[net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:485] -
Attribute Resolver 'ShibbolethAttributeResolver': Attribute 'principal3'
has 1 values after post-processing
2018-08-16 14:52:56,766 - DEBUG
[net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:189] -
Attribute filtering engine 'ShibbolethAttributeFilter': 1 values for
attribute 'principal3' remained after filtering
2018-08-16 14:52:56,907 - DEBUG
- Profile Action AddAttributeStatementToAssertion: Attempting to encode
attribute principal3 as a SAML 2 Attribute
2018-08-16 14:52:56,908 - DEBUG
- Profile Action AddAttributeStatementToAssertion: Attribute principal3 did
not have a usable SAML 2 Attribute encoder associated with it, nothing to do

I understand the last debug line provided is the "answer" but I'm trying to
understand how to get past that part. :-) What should I be looking for next?

... Before hitting send on this, I dug a bit further. I tried a few things
in saml-nameid.xml. Adding the following "worked" in that it sent the
generated value as NameId... but this isn't truly transient format?


Under:  <util:list id="shibboleth.SAML2NameIDGenerators">
        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:attributeSourceIds="#{ {'principal3'} }" />

SAML response...

The above actually passed along my transient value in NameId, but should it
be "unspecified"? I tried the following formats as well, but then I ended
up back with the "nothing to do" again in debug...

So close. Where am I shooting myself in the foot?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180816/31500b8f/attachment.html>

More information about the users mailing list