Help with NameID

Amit Dongaonkar amitd at
Fri Aug 7 13:23:03 UTC 2020

Hello users,
First of all Gary, thanks for your inputs, I had already modified the
saml-nameid.xml as you pointed out  but will follow through the remaining
points to see what happens.

Peter, I was also surprised  when the AWS support team asked me to
specifically remove the mail attribute. If you follow the link (
says on page 11 and 12 what attributes they need.  My argument to the AWS
team was if the mail attribute does come in can they not still operate.
I am sure a lot of people have integrated Shibboleth with AWS, but not sure
how many have integrated the AWS VPN client with Shibboleth as this is a
relatively new service ( 3-4 months old I was told by the support team) .

Robert, I should have mentioned in my initial email that I am working on
getting AWS VPN client to talk to Shibboleth. I know when it comes to AWS
console integration with Shibboleth the critical attribute is the
role(membeOf) attribute as this relates back to the IAM role for a user.
However, in the case of AWS VPN Client although they require the 'memberOf'
attribute in the assertion they are not using any IAM roles to grant
access. So as such the 'memberOf ' attribute is of no use , at least as of
now, may be in the future it may get utilized.

Thanks and Regards,

*Amit Dongaonkar*

*Snr. Technical Architect Lead*

o: (248) 284-4035 m: (248) 385-6033

40850 Grand River Ave #100, Novi, MI 48375

[image: unnamed]

On Fri, Aug 7, 2020 at 9:09 AM Cantor, Scott <cantor.2 at> wrote:

> On 8/6/20, 8:35 PM, "users on behalf of Amit Dongaonkar" <
> users-bounces at on behalf of amitd at> wrote:
> >    I tried different ways mentioned in the documentation but as soon as
> I remove the mail attribute from the attribute-
> > filter.xml I see the invalidNameIDPolicy error.
> That suggests you're not using "AWS" here, this is some other SP. AWS
> "proper" has no requests, it's IdP-initiated, so there's no possible way to
> trigger that error.
> AWS itself doesn't require particular NameID values, though it sort of
> supports them alongside its own custom role and session name attributes.
> But that's not relevant to this question.
> In either case, the correct answer to "don't send me the attribute" if you
> also have to include the NameID is "too bad, fix your code". The incorrect
> answer is to filter the attribute out, add an explicit NameID-generator
> bean with an activation condition for just that SP, and toggle the flag on
> the generator to rely on "unfiltered" attributes.
> -- Scott
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 10944 bytes
Desc: not available
URL: <>

More information about the users mailing list