Help with NameID
Lipscomb, Gary
glipscomb at csu.edu.au
Fri Aug 7 02:03:12 UTC 2020
Hi Amit,
In saml-nameid.xml, only do it for the entityId’s that need it
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'emailAsNameID'} }">
<property name="activationCondition">
<bean parent="shibboleth.Conditions.RelyingPartyId"
c:candidates="#{{ entityID }}" />
</property>
</bean>
In attribute resolver , note there is no attribute encoder
<AttributeDefinition id="emailAsNameID" xsi:type="Simple">
<InputAttributeDefinition ref="email" />
</AttributeDefinition>
In attribute filter, release emailasnameid, its needed to generate the samlnameid, but is not released as an attribute since it has no encoder
Regards
Gary
From: users <users-bounces at shibboleth.net> On Behalf Of Amit Dongaonkar
Sent: Friday, 7 August 2020 10:36
To: Shib Users <users at shibboleth.net>
Subject: Help with NameID
Hello users,
I am using Shibboleth IdP 3.4 and am trying to provide an assertion to AWS services.
They need the nameID as email , however they do not want the email attribute coming in the assertion.
I tried different ways mentioned in the documentation but as soon as I remove the mail attribute from the attribute-filter.xml I see the invalidNameIDPolicy error.
Note that I am using a policy override for AWS SP.
Thanks and Regards,
Amit Dongaonkar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200807/d8eed934/attachment.htm>
More information about the users
mailing list