IDP Initiated doubt on nameID
Nate Klingenstein
ndk at signet.id
Mon Apr 8 11:42:47 EDT 2019
> The IdP decides which NameID to send based on a number of factors, including configuration of your IdP, the metadata of the SP, and the AuthnRequest. Their AuthnRequests must be specifying a particular AuthnContextClass, while the same class is absent from the metadata or the configuration.
I apologize, I meant to write particular NameID, not AuthnContextClassRef. An example:
<samlp:AuthnRequest
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"/>
...
</samlp:AuthnRequest>
More information about the users
mailing list