IDP Initiated doubt on nameID

Nate Klingenstein ndk at
Mon Apr 8 04:54:43 EDT 2019


The IdP decides which NameID to send based on a number of factors, including configuration of your IdP, the metadata of the SP, and the AuthnRequest.  Their AuthnRequests must be specifying a particular AuthnContextClass, while the same class is absent from the metadata or the configuration.

The advisable approach would be to ask the SP to put its desired NameID's in its metadata.  If they're unwilling to, you can either do so yourself(at which point you're managing their metadata), or you can add a special RelyingParty configuration for them.  Please see nameIDFormatPrecedence:

> Can you please advice as to why the nameID not getting password, even though it is configured in saml-nameid.xml for both.

This sentence worries me.  You should never need to send passwords to the SP.

Take care,

More information about the users mailing list