Attribute mapping sometimes failing in SP 3

[Cantor, Scott]

NameID decoding (in all SP versions) applies to actual NameID elements and AttributeValues that contain NameID elements (the deprecated way of passing eduPersonTargetedID). It does not operate on string data within an AttributeValue element, and those formats/names do not apply to data passed in string form.

> 1. Can I get shibd to log the full attribute values to help with diagnosis?

Only via debug logging of the XML as a whole.

> 2. What do I need to suggest to the IdP admin so they can provide the attribute in format that works?

They should be passing a SAML 2.0 NameID in that format, and not using a SAML Attribute.

If they want to do it the "recommended" way, that's the subject-id and pairwise-id attributes that replace usage of NameID and legacy targetedID syntaxes completely. The decoding rules for those are in the latest distributions, they're in the simplest scoped form. That material is the "last word" on all of this from me in SAML. Everything we did around identifiers was wrong, and all I can do is point to the best answer there is and leave it at that.

-- Scott