idp 3.3.2, SP wants transient and persistent ID's

Robert Duncan Robert.Duncan at
Fri Nov 2 09:43:29 EDT 2018

Thanks Scott,

"Clean" in this case means not upgraded from V2 and without support for legacy generators

"To enable the legacy support, the idp.nameid.saml2.legacyGenerator and idp.nameid.saml1.legacyGenerator properties must be uncommented and set to the values commented out in the file. This is done for you when performing an upgrade from V2."

Robert Duncan

From: users <users-bounces at> on behalf of Cantor, Scott <cantor.2 at>
Sent: Friday 2 November 2018 13:31
To: Shib Users
Subject: Re: idp 3.3.2, SP wants transient and persistent ID's

On 11/2/18, 9:17 AM, "users on behalf of Robert Duncan" <users-bounces at on behalf of Robert.Duncan at> wrote:

> A non Shibboleth SP is requesting nameid's like so:

Taken literally that metadata would mean the SP doesn't require any particular form of a NameID at all, so you shouldn't give it one (or just give it a transient). When that fails, you can conclude the metadata's wrong to begin with.

> I'm confident that we are producing persistentID's as I can query them in the database.

Whether you are or not, the formats in metadata are treated as an ordered list and the log should show it attempting to produce/generate each format in turn and failing on each one until it hits transient and succeeds. So you are not configured to produce a persistent NameID for that SP, and I would presume the log would say that it failed trying.

> I tested with aacli, the result for the metadata above is no attributes, should I be able to view persistent ID's as
> 'traditional' attributes with a clean install 3.3.2

NameIDs are not attributes at all. The new aacli will show the NameID produced for an SP via the ---saml2 option and usually reflects what would happen during a login. A clean install with no changes won't produce any NameID but transient. "Clean" would mean "no modifications or customizations".

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at
The information contained and transmitted in this e-mail is confidential information, and is intended only for the named recipient to which it is addressed. The content of this e-mail may not have been sent with the authority of National College of Ireland. Any views or opinions presented are solely those of the author and do not necessarily represent those of National College of Ireland. If the reader of this message is not the named recipient or a person responsible for delivering it to the named recipient, you are notified that the review, dissemination, distribution, transmission, printing or copying, forwarding, or any other use of this message or any part of it, including any attachments, is strictly prohibited. If you have received this communication in error, please delete the e-mail and destroy all record of this communication. Thank you for your assistance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list