Set NameID to Principal name

Ray Bon rbon at
Tue Dec 8 16:41:01 UTC 2020


See these docs on nameid,


On Fri, 2020-12-04 at 17:02 +0530, Abhishek Chouksey wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

I am new to shibboleth and trying to perform IDP initiated SSO

My SP metadata file contain these attribute :

=>does it means that my SP is accepting email address as nameIDFormat?

and in my IDP attribute-resolver.xml :

 <!--Name Identifier related attributes -->
    <resolver:AttributeDefinition id="transientId" xsi:type="ad:TransientId">
        <resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier" nameFormat="urn:mace:shibboleth:1.0:nameIdentifier"/>
        <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>

so when request is made in saml tracer I can see that nameID is set to some encoded string
Issuer                      = https://<xyz>/idp/shibboleth
Subject                     = _8a6f5377a471fc24182dfa02ea194b43
NameID                      = _8a6f5377a471fc24182dfa02ea194b43

=>IS this due to Transient?

=>So how can I make my nameID field to be set as my principal name like xyz at<mailto:xyz at> because my SP is using nameID as username during access I guess?


Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rbon at<mailto:rbon at>

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list