Cherwell application (on-prem)

Lohr, Donald A - lohrda lohrda at
Sat Apr 27 08:55:57 EDT 2019

The SP configuration is done inside the application on their SAML Settings GUI screen. Once configured, this screen has an export button which copies the internal configuration to a xml formatted file containing the SP metadata. The intent of this file is to sneaker-net it to the IdP. 

In this SAML Settings GUI is listed two choices for "Type of ID":

E-mail address
Windows login

We were told the Windows login is equivalent to samaccountname, or in our case the CN attribute (a users login account name) in our non-AD LDAP directory used by our IdP. 

We believe it is the selection of "Windows login" that wrote the following line to the SP metadata file:


The use of email address as the record match is a whole nother issue to involved to explain here. 


Sent from an Apple iDevice

> On Apr 27, 2019, at 6:43 AM, Peter Schober <peter.schober at> wrote:
> * Lohr, Donald <lohrda at> [2019-04-26 22:56]:
>> In the SP metadata is:
>> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
>> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:*nameid-format:kerberos*</md:NameIDFormat>
> Are you manageing the metadata for the SP or are you consuming their
> metadata directly from somewhere else?
> The IDP would use emailAddress if you had configured support for that
> (e.g. for other services) because it's listed first.
> Also why kerberos? The SAML spec defines that NameID format as:
>  Kerberos principal name using the format name[/instance]@REALM.
> but your sAMAccountName will not have an instance nor a REALM?
> To me the more obvious NameID format to use to send a local,
> unqualified userid (sAMAccountName) would be (note the second sentence
> about omitting the qualifier):
> urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
>  A Windows domain qualified user name is a string of the form
>  "DomainName\UserName". The domain name and "\" separator MAY be omitted.
>> <resolver:AttributeDefinition id="sAMAccountName" xsi:type="ad:Simple"
>> sourceAttributeID="cn">
>>     <resolver:Dependency ref="oud" />
>>     <resolver:AttributeEncoder xsi:type="enc:SAML2String"
>> nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>> name="sAMAccountName" encodeType="false" />
>> </resolver:AttributeDefinition>
> 1. Why would you use the resolver to generate NameIDs and not the
> saml-nameid.xml configuation? Something like this should suffice
> (within the "shibboleth.SAML2NameIDGenerators" list; assuming the
> NameID format I suggested to use above):
> <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
>    p:omitQualifiers="true"
>    p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName"
>    p:attributeSourceIds="#{ {'sAMAccountName'} }" />
> 2. Why would you configure support for the "unspecified" NameID format
> if you know the SP wants something else and you said above you want to
> use kerberos?
> So what you say you want to achieve and what you configured simply
> does not match.
> -peter
> -- 
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list