Help setting up SAML for Apache Guacamole

Peter Schober peter.schober at
Fri Aug 14 08:34:01 UTC 2020

* melvin.lasky <melvin.lasky at> [2020-08-14 03:02]:
> We are able to get in... But in order to get UID sent as a none random
> generated string, I changed the metadata, and I added something to
> saml-nameid.xml

I see you've solve the issue with missing attributes.

Reading your config snippets are you saying the SP cannot process
attributes for the identifier of the subject (but does support
attributes for other data) and only supports NameIDs for that?

Either way, personally I wouldn't send "uid" in an
emailAddress-format'ed NameID -- unless your "uid" attribute actually
does contain email addresses as values?

If the SP only supports NameIDs for the identifier and does *not*
check the NameIDFormat I'd use the attributes formal name as the
NameIDFormat, e.g. "urn:oid:0.9.2342.19200300.100.1.1" for uid (or
"urn:oid:" for ePPN).

If the SP only supports NameIDs for the identifier and *does* check
the NameIDFormat I'd use a NameIDFormat that reflects the actually
sent data, such as
(from SAML core: A Windows domain qualified user name is a string of
the form "DomainName\UserName". -- The domain name and "\" separator
MAY be omitted.  so essentially a plain userid is fine, there.)

Of course there are more permutations possible (the SP only supports
NameIDs, does check the NameIDFormat but does *not* support a format
that's appropriate for the data you're sending -- maybe send other
data, then?) but doing any of the above gives you a cleaner
saml-nameid.xml config and avoids any conditional logic trickery
(activation conditions) -- you define your data with the appropriate
NameIDFormats (meaning it would always be correct/applicable) and then
simply put the desired format into the SP's metadata.


More information about the users mailing list