IDP Initiated doubt on nameID

Nate Klingenstein ndk at
Mon Apr 8 11:42:47 EDT 2019

> The IdP decides which NameID to send based on a number of factors, including configuration of your IdP, the metadata of the SP, and the AuthnRequest.  Their AuthnRequests must be specifying a particular AuthnContextClass, while the same class is absent from the metadata or the configuration.

I apologize, I meant to write particular NameID, not AuthnContextClassRef.  An example:

    <samlp:NameIDPolicy AllowCreate="true"
        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"/>

More information about the users mailing list