Help with NameID

Cantor, Scott cantor.2 at
Fri Aug 7 13:09:12 UTC 2020

On 8/6/20, 8:35 PM, "users on behalf of Amit Dongaonkar" <users-bounces at on behalf of amitd at> wrote:

>    I tried different ways mentioned in the documentation but as soon as I remove the mail attribute from the attribute-
> filter.xml I see the invalidNameIDPolicy error.

That suggests you're not using "AWS" here, this is some other SP. AWS "proper" has no requests, it's IdP-initiated, so there's no possible way to trigger that error.

AWS itself doesn't require particular NameID values, though it sort of supports them alongside its own custom role and session name attributes. But that's not relevant to this question.

In either case, the correct answer to "don't send me the attribute" if you also have to include the NameID is "too bad, fix your code". The incorrect answer is to filter the attribute out, add an explicit NameID-generator bean with an activation condition for just that SP, and toggle the flag on the generator to rely on "unfiltered" attributes.

-- Scott

More information about the users mailing list