Set NameID to Principal name

Peter Schober peter.schober at
Fri Dec 4 11:54:15 UTC 2020

* Abhishek Chouksey <abhishekchouksey10 at> [2020-12-04 12:32]:
> I am new to shibboleth and trying to perform IDP initiated SSO

So the SP is known to be broken and doesn't support SP-initiated SSO?

> My SP metadata file contain these attribute :
> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
> => does it means that my SP is accepting email address as nameIDFormat?

Yes. Or the metadata is just inaccurate (it often is).
Above the (ill-defined) "unspecified" format is also requested,
that's not a good sign, either.

>  <!--Name Identifier related attributes -->
>     <resolver:AttributeDefinition id="transientId"
> xsi:type="ad:TransientId">
>         <resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier"
> nameFormat="urn:mace:shibboleth:1.0:nameIdentifier"/>
>         <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID"
> nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
>     </resolver:AttributeDefinition>

What version of the software are you running?

Since IDPv3 came out (which will go out of support in 4 weeks) many
years ago NameIDs are no longer configured in the resolver. So I guess
this is a very old system that you upgraded from v2 or even older and
you simply never bothered to modernise the configuration?

Either way, completely removing the above shouldn't have any effects
as the IDP will support transient NameIDs without any attribute
definitions for them. (Of course test this, e.g. using the provided
aacli tool.)

I'm aware that's not what you're really asking (which is "How to I
send arbitrary data as a NameID?" but since the documentaton covers
this there's no point in repeating this here just in case.)

> so when request is made in saml tracer I can see that nameID is set to some
> encoded string
> Issuer                      = https://<xyz>/idp/shibboleth
> Subject                     = _8a6f5377a471fc24182dfa02ea194b43
> NameID                      = _8a6f5377a471fc24182dfa02ea194b43
> =>IS this due to Transient?

Very likely. If you used the aacli with the --saml2 parameter
(assuming you're using SAML2 with the SP in question) it would tell
you exactly why because you'd see the NameID *Format* then, as well.

> =>So how can I make my nameID field to be set as my principal name like
> xyz at because my SP is using nameID as username during access I
> guess?

First you need to stop guessing what the SP needs. Make sure you know
for certain. Then you need to get into the habit of reading the
documentation others have written to answer such questions.
Here's how you would find it for the old IDPv3:

Documentation home for IDPv3:
-> Configuration
-> SAML NameID Generation
-> "Custom Identifier Generation"

Same for IDPv4:

Documentation home for IDPv4:
-> Configuration
-> SAML NameID Generation
-> "Custom Identifier Generation"


More information about the users mailing list