Help with NameID
Cantor, Scott
cantor.2 at osu.edu
Fri Aug 7 13:09:12 UTC 2020
On 8/6/20, 8:35 PM, "users on behalf of Amit Dongaonkar" <users-bounces at shibboleth.net on behalf of amitd at nitssolutions.com> wrote:
> I tried different ways mentioned in the documentation but as soon as I remove the mail attribute from the attribute-
> filter.xml I see the invalidNameIDPolicy error.
That suggests you're not using "AWS" here, this is some other SP. AWS "proper" has no requests, it's IdP-initiated, so there's no possible way to trigger that error.
AWS itself doesn't require particular NameID values, though it sort of supports them alongside its own custom role and session name attributes. But that's not relevant to this question.
In either case, the correct answer to "don't send me the attribute" if you also have to include the NameID is "too bad, fix your code". The incorrect answer is to filter the attribute out, add an explicit NameID-generator bean with an activation condition for just that SP, and toggle the flag on the generator to rely on "unfiltered" attributes.
-- Scott
More information about the users
mailing list