convert legacy NameID to current
Peter Schober
peter.schober at univie.ac.at
Thu Aug 8 15:37:32 EDT 2019
* sherrera <sherrera at bradley.edu> [2019-08-08 20:28]:
> The default value in saml-nameid.xml looks similar to what I need for the
> format. But when I try to release mail in attribute-filter.xml only my other
> attributes get released and mail is ignored. How do I release this?:
> <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
> p:omitQualifiers="true"
> p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
> p:attributeSourceIds="#{ {'mail'} }" />
How do you test what get's released? I'm asking because of your "only
my other attributes" -- the NameID would not be sent as an attribute
(literally). When testing with the aacli using the "--saml2" option
you do see the NameID, too:
$ /opt/shibboleth-idp/bin/aacli.sh --saml2 -n SOME-ID -r SOME-SP
Maybe that's what you're doing but I wanted to make sure.
> idp-process.log - WARN
> [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:337] - Profile
> Action AddNameIDToSubjects: Request specified use of an unsupportable
> identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Your snippet from conf/saml-nameid.xml matches what I have so either
it's in the wrong spot or maybe you didn't reload the NameID
configuration (or restarted the IDP, as a more forceful method).
Or something else, I guess. :)
-peter
More information about the users
mailing list