Help with NameID

Lipscomb, Gary glipscomb at csu.edu.au
Fri Aug 7 02:03:12 UTC 2020


Hi Amit,

In saml-nameid.xml, only do it for the entityId’s that need it

        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
            p:attributeSourceIds="#{ {'emailAsNameID'} }">
            <property name="activationCondition">
                <bean parent="shibboleth.Conditions.RelyingPartyId"
                  c:candidates="#{{ entityID }}" />
            </property>
        </bean>


In attribute resolver , note there is  no attribute encoder

    <AttributeDefinition id="emailAsNameID" xsi:type="Simple">
      <InputAttributeDefinition ref="email" />
    </AttributeDefinition>


In attribute filter, release emailasnameid, its needed to generate the samlnameid, but is not released as an attribute since it has no encoder

Regards
Gary


From: users <users-bounces at shibboleth.net> On Behalf Of Amit Dongaonkar
Sent: Friday, 7 August 2020 10:36
To: Shib Users <users at shibboleth.net>
Subject: Help with NameID

Hello users,
I am using Shibboleth IdP 3.4 and am trying to provide an assertion to AWS services.
They need the nameID as email , however they do not want the email attribute coming in the assertion.
I tried different ways mentioned in the documentation but as soon as I remove the mail attribute from the attribute-filter.xml I see the invalidNameIDPolicy error.

Note that I am using a policy override for AWS SP.


Thanks and Regards,


Amit Dongaonkar


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200807/d8eed934/attachment.htm>


More information about the users mailing list