Help with name ID

Mike Osterman ostermmg at
Thu Nov 15 18:05:31 EST 2018

I'm trying to get set up with an SP and have run into an issue I've not
seen before in the logs:

2018-11-15 13:45:16,955 - WARN
[org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:337] - Profile
Action AddNameIDToSubjects: Request specified use of an unsupportable
identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
2018-11-15 13:45:16,956 - WARN
[org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event
occurred while processing the request: InvalidNameIDPolicy

I came across this thread where this issue gets discussed, but haven't been
able to resolve the issue with the info there or the
linked NameIDGenerationConfiguration resource page:

First, we are a v3 IdP, and started with v3 - no upgrade happened.

So far, I've made sure that my saml-nameid.xml is configured as follows:

*    <!-- SAML 2 NameID Generation -->*
*    <util:list id="shibboleth.SAML2NameIDGenerators">*
*        <ref bean="shibboleth.SAML2TransientGenerator" />*
*        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"*
*            p:attributeSourceIds="#{ {'mail'} }" />*

*    </util:list>*

*    <!-- SAML 1 NameIdentifier Generation -->*
*    <util:list id="shibboleth.SAML1NameIdentifierGenerators">*
*        <ref bean="shibboleth.SAML1TransientGenerator" />*
*        <bean parent="shibboleth.SAML1AttributeSourcedGenerator"*
*            p:attributeSourceIds="#{ {'mail'} }" />*
*    </util:list>*

I haven't changed anything in the file, as the
comment in the saml-nameid.xml file implies that is only needed for the
Persistent generator (and I'm intending to use Transient).

The attribute-resolver.xml has the following definition for mail:
*    <AttributeDefinition id="mail" xsi:type="Simple"
*        <Dependency ref="myLDAP" />*
*        <AttributeEncoder xsi:type="SAML1String"
name="urn:mace:dir:attribute-def:mail" encodeType="false" />*
*        <AttributeEncoder xsi:type="SAML2String"
name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail"
encodeType="false" />*
*    </AttributeDefinition>*

I'm assuming that the saml-nameid.xml is pulling from here when referencing
mail in the p:attributeSourceIds bean property, and that the p:format
property is what should be presenting it
as urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, but obviously
somethings not wired/configured right.

Finally, I do have an attributeFilterPolicy releasing "mail" to the
requester in attribute-filter.xml.

Unlike the OP on the above thread, I don't have control over the SP, so I'm
stuck trying to make my IdP fit their request.

Thanks for any suggestions you can provide.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list