IDP rely configuration - Adobe suggests a modification of default behaviour - any hints?

Peter Schober peter.schober at
Fri Oct 4 07:58:47 EDT 2019

* Cantor, Scott <cantor.2 at> [2019-02-12 04:46]:
> > We just went through this here. AFAIK, they require an email address for both
> > the NameID format and the released attribute - and that attribute must be
> > named "Email"
> They do not require an email NameID as long as an appropriate value
> is placed in the user's entry in Adobe's system in the FederatedID
> field, and they support standard attribute naming for
> givenName/sn/mail.

Thanks for the above information. Seems this has only now reached our
federation members, at last, judging from recent support requests.
I'll be advising to use the pairwise-id or subject-id URNs as the
NameIDFormat, then.

Does anyone know whether the Okta SP (as used for Adobe Inc.) supports

While the generated metadata I've seen does contain a certificate that
comes with the use="signing" restriction (which when paired with
SPSSODescriptor/@AuthnRequestsSigned="false" and no SLO support makes
no sense as there's nothing left for the SP to sign).
Not knowing what (else) might be wrong I was hoping for the
use="signing" to be wrong, too.


More information about the users mailing list