IdP implementation roadmap

Andrew Morgan morgan at
Thu Apr 18 12:26:14 EDT 2019

On Thu, 18 Apr 2019, Yakov Revyakin wrote:

> Hi guys, thanks to you I have done some steps forward.
> Could you help me understand how the IdP manages the following related case
> to get NameID in format of emailAddress:
> 1) SP metadata includes
> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>

The unspecified format is ignored in metadata.  In this case, only the 
emailAddress format will be used.

> 2) authnrequest doesn't include any NameIDPolicy records
> 3) AttributeResolver&Filter provide 'mail'
> (urn:oid:0.9.2342.19200300.100.1.3)
> Is next step to modify saml-nameid.xml in the following way?
> <util:list id="shibboleth.SAML2NameIDGenerators">
>    <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
>      p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
>      p:attributeSourceIds="#{ {'mail'} }">
>      <property name="activationCondition">
>          <bean parent="shibboleth.Conditions.RelyingPartyId"
> c:candidate="IAMShowcase" />
>      </property>
>    </bean>
> </util:list>

You don't need an activationCondition here, unless you really only want to 
release the 'mail' attribute to emailAddress NameID format request for 
this specific SP.  If you want to release the 'mail' attribute as the 
NameID when *any* SP requests emailAddress format, leave out the 

> And relying-party.xml in the following way? (As the request doesn't include
> NameIDPolicy)
>    <util:list id="shibboleth.RelyingPartyOverrides">
>        <bean parent="RelyingPartyByName" c:relyingPartyIds="IAMShowcase">
>            <property name="profileConfigurations">
>                <list>
>                    <bean parent="SAML2.SSO"
> p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
> />
>                </list>
>            </property>
>        </bean>
>    </util:list>

You don't need a nameIDFormatPrecedence override in relying-party.xml if 
the NameID format is specified in metadata or in the SAML authn request.

> Is there any way to automate the behavior using information about
> NameIDFormat presented in metadata and exclude 2 last steps?

Yes.  You don't need an override in relying-party.xml when the metadata 
contains a NameID Format.

You do need to add a NameID generator to saml-nameid.xml so that the 
Shibboleth IDP can response to emailAddress NameID formats, but it doesn't 
need an activationCondition specific to a single SP.


More information about the users mailing list