Help with NameID

Lipscomb, Gary glipscomb at
Fri Aug 7 02:03:12 UTC 2020

Hi Amit,

In saml-nameid.xml, only do it for the entityId’s that need it

        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:attributeSourceIds="#{ {'emailAsNameID'} }">
            <property name="activationCondition">
                <bean parent="shibboleth.Conditions.RelyingPartyId"
                  c:candidates="#{{ entityID }}" />

In attribute resolver , note there is  no attribute encoder

    <AttributeDefinition id="emailAsNameID" xsi:type="Simple">
      <InputAttributeDefinition ref="email" />

In attribute filter, release emailasnameid, its needed to generate the samlnameid, but is not released as an attribute since it has no encoder


From: users <users-bounces at> On Behalf Of Amit Dongaonkar
Sent: Friday, 7 August 2020 10:36
To: Shib Users <users at>
Subject: Help with NameID

Hello users,
I am using Shibboleth IdP 3.4 and am trying to provide an assertion to AWS services.
They need the nameID as email , however they do not want the email attribute coming in the assertion.
I tried different ways mentioned in the documentation but as soon as I remove the mail attribute from the attribute-filter.xml I see the invalidNameIDPolicy error.

Note that I am using a policy override for AWS SP.

Thanks and Regards,

Amit Dongaonkar

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list