NameIDFormat emailAddress SAML:2.0 (?)
Alan Angulo (Office365 admin)
alan at live.esu.edu
Fri Nov 22 16:05:09 EST 2019
Dear Shibboleth community,
I have a vendor requesting to pass the emailAddress in the NameID subject of our SAML response.
The user authenticates correctly but right after the browser goes into an infinite redirect.
The log entries show a warning regarding an unsupportable identifier:
"2019-11-22 15:40:51,583 - 192.148.111.xxx - WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:337]
- Profile Action AddNameIDToSubjects:
Request specified use of an unsupportable identifier format:
urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"
The vendor's metadata has this entry:
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress</md:NameIDFormat>
I suspect the vendor's metadata is referencing the wrong NameIDFormat in his metadata. I am thinking it should be this:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
since that's the format stated in the saml-nameid.xml config file of the Shibboleth IdP 3.4.6
Can someone confirm that this is the cause of the problem?
Thanks!
~Alan Angulo
Senior Systems Administrator / Office 365 Administrator
East Stroudsburg University | 570-422-3783 | alan at esu.edu | alan at live.esu.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20191122/96f1efc8/attachment.html>
More information about the users
mailing list