Set NameID format in relying party?

Peter Schober peter.schober at
Wed Sep 11 04:43:37 EDT 2019

* Baron Fujimoto <baron at> [2019-09-11 05:34]:
>         <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
>             p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
>             p:attributeSourceIds="#{ {'mail'} }" />

Aside 1:
The distributed example configuration also contains this:
but maybe that was added later in the release cycle?
Either way I'd add this here, too. (Not that SPs requiring use of
email address NameIDs are likely to even look at those qualifiers.)

>         <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />

Aside 2: Encryption of NameIDs hasn't been the default for many, many
years now (early 2.x releases, IIRC) so there's nothing to override if
you want to disable those.

> The wiki says, "If the metadata contains nothing, or contains the
> "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" value, then
> the metadata is ignored." And, "Otherwise

Exactly, otherwise meaning "If not absent or unspecified" and that
conditional does not apply in your case.

> Does this mean that the format listed in nameIDFormatPrecedence must
> actually also be be present in the metadata? If so, it doesn't seem
> like I gain anything by trying to set nameIDFormatPrecedence in the
> SP's relying party entry.

No, because (as you say) it would be nonsensical.

> but I can't figure out exactly how to incorporate this into the
> existing SP's RelyingParty entry.

Sorry, I don't remember the old IDP 2.x configuration. Why don't you
use the old v2.x documentation to figure this out?
And logging, always logging.


More information about the users mailing list