IdP implementation roadmap

Yakov Revyakin yrevyakin at
Thu Apr 18 09:39:25 EDT 2019

Hi guys, thanks to you I have done some steps forward.

Could you help me understand how the IdP manages the following related case
to get NameID in format of emailAddress:
1) SP metadata includes


2) authnrequest doesn't include any NameIDPolicy records
3) AttributeResolver&Filter provide 'mail'

Is next step to modify saml-nameid.xml in the following way?

<util:list id="shibboleth.SAML2NameIDGenerators">
    <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
      p:attributeSourceIds="#{ {'mail'} }">

      <property name="activationCondition">
          <bean parent="shibboleth.Conditions.RelyingPartyId"
c:candidate="IAMShowcase" />

And relying-party.xml in the following way? (As the request doesn't include
    <util:list id="shibboleth.RelyingPartyOverrides">
        <bean parent="RelyingPartyByName" c:relyingPartyIds="IAMShowcase">
            <property name="profileConfigurations">
                    <bean parent="SAML2.SSO"

Is there any way to automate the behavior using information about
NameIDFormat presented in metadata and exclude 2 last steps?


On Tue, 16 Apr 2019 at 19:35, Andrew Morgan <morgan at> wrote:

> On Tue, 16 Apr 2019, Yakov Revyakin wrote:
> > I ask you push me somehow to understand a roadmap:
> > 1) How to make Shib IdP and metadata-*less *SP friends?
> As others have said, you just create a metadata file by inserting the
> entityID and ACS URL of the SP.  The IDP operates from metadata, so you'll
> need to make metadata somehow.
> > 2) How to force the IdP to return the user name inside NameID tag with
> > NameIDFormat set to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
> This wiki page explains it:
> Here is a sample for saml-nameid.xml you might be able to use:
>    <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
>        p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
>        p:attributeSourceIds="#{ {'uid'} }">
>        <property name="activationCondition">
>            <bean parent="shibboleth.Conditions.OR">
>                <constructor-arg>
>                    <list>
>                        <bean parent="shibboleth.Conditions.RelyingPartyId"
> c:candidate="https://sp1" />
>                        <bean parent="shibboleth.Conditions.RelyingPartyId"
> c:candidate="https://sp2" />
>                    </list>
>                </constructor-arg>
>            </bean>
>        </property>
>    </bean>
> This will generate an "unspecified" format NameID from the "uid" attribute
> for an SP with entityID of "https://sp1" or "https://sp2".
> You will also need to add an override to relying-party.xml to force the
> use of the "unspecified" NameID for these SPs.  That is documented at the
> bottom of the wiki page.
> Thanks,
>         Andy
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list