Cherwell application (on-prem)

Peter Schober peter.schober at
Sun Apr 28 16:27:27 EDT 2019

* Lohr, Donald A - lohrda <lohrda at> [2019-04-28 15:20]:
> I do not know how to take this from the SP metadata:
> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:*nameid-format:kerberos*</md:NameIDFormat>
> ...and code it on our IdP, since we have a requirement to use a
> users account name and not email address as the record match.

That depends on where that metadata comes from (which I keep asking
but you keep ignoring):

If you manage that metadata, i.e., your IDP loads it from a local
file, then you remove the former line and leave only the latter in the
If your IDP loads that metadata remotely (e.g. from the SP itself) you
cannot change it, and so instead you would configure an override in
the IDP's relying-party.xml config file.
(The documentation covers this and if you have trouble with
understanding the documentation you can always ask here.)

> > why did you configure your IDP to produce the "unspecified" NameID format instead?
> We are looking for some Shib IdP 3x examples of what goes into our
> IdP .xml file to make this SP work.

That's about as unspecific as one can be. I told you what to put where
exactly. You don't even need to understand it, only copy and paste it
(and adapt the NameID format to the chosen one, here the kerberos one).

If my concrete instuctions were unclear stating that you just "want
the SP to work" does nothing to tell me what I'd need to do
differently so that you could understand it.
So this is clearly going nowhere.


More information about the users mailing list