SAML2StringNameID will be removed

Peter Schober peter.schober at
Mon Dec 17 17:07:25 EST 2018

* sherrera <sherrera at> [2018-12-17 22:49]:
> <AttributeDefinition xsi:type="Simple" id="bitEmail">
>         <InputDataConnector ref="myLDAP" attributeNames="mail"/>
>         <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
>         <AttributeEncoder xsi:type="SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
>     </AttributeDefinition>
> I've been researching NameID Generation service but it still escapes me. I
> believe I need to uncomment the PersistentGenerator in saml-nameid.xml to
> begin with.

This has nothing to do with persistent NameIDs. The above are
"attribute-based", so that's what you'd use on saml-nameid.xml

> Then where I'm not sure is how to transition away from
> xsi:type="SAML2StringNameID and tie that entry back to my
> "bitEmail". What would an example entry look like for this?

  <util:list id="shibboleth.SAML2NameIDGenerators">

    <ref bean="shibboleth.SAML2TransientGenerator" />

    <!-- Others you might be using -->

    <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
      p:attributeSourceIds="#{ {'mail'} }" />


Remove the second encoder above and reload both the resolver and the
nameid configuration. Make sure you release "bitEmail" to the desired
If the SP has the provided NameIDFormat listed in its metadata that's
all you'd need to do. Test with using the --saml2 parameter
to see the actual NameID that would go out.


More information about the users mailing list