Configuring shibboleth SP NameID format persistent

Feinstein, Moses moses.feinstein at
Tue Jun 16 18:49:05 UTC 2020

Thank you Scott for taking a time to  respond. 

Based on your response below, possibly  you can clarify for me the following:

We are integrating with an external vendor's SP  who is sending the following  in authentication request:
	        <samlp:AuthnRequest ID="_065731e5-8dd5-4704-b1a1-80e40754be2d"
                    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"></saml:Issuer>
                    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" AllowCreate="true" />


The vendor  requesting persistent NameID format:
	<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" AllowCreate="true" />

Q1.  Does the vendor authentication request looks valid to you? Even though my shibboleth IdP is configured to reply with "persistent" nameid format, because SP implicitly requests for persistent  format, my IdP throws  an error: 
		<saml2p:StatusMessage>An error occurred.</saml2p:StatusMessage>
				2020-06-16 14:44:07,369 - WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:337] - Profile Action AddNameIDToSubjects: Request specified use of an 					unsupportable identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
				2020-06-16 14:44:07,369 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidNameIDPolicy
	If I don't specify nameID format as  persistent in the SP authentication request,  then IdP responds properly with the "persistent  nameID"
            			<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:persistent"

I am trying to replicate the same request with Shibboleth SP, and I can't seem to find any documentation which explains how to configure authentication request which would include nameID policy format as persistent, similar to the example above.

Q2.  can provide any documentation reference which can accomplish this type of request in Shibboleth SP?
	<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" AllowCreate="true" />

Moses Feinstein
Sr. Software / IAM Engineer, App Dev Dept
Emaill: moses.feinstein at

-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott
Sent: Tuesday, June 16, 2020 1:57 PM
To: Shib Users <users at>
Subject: Re: Configuring shibboleth SP NameID format persistent 

External Email

On 6/16/20, 1:50 PM, "users on behalf of Feinstein, Moses" <users-bounces at on behalf of moses.feinstein at> wrote:

> Can you provide me some pointers regarding how I can configure 
> Shibboleth SP to  specify the following during authentication request 
> to idp
> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:persistent</Na
> meIDFormat>

There is no such Format, that's the wrong constant, but specifying formats that do exist or are locally defined is handled with the NameIDFormat content setting or property in various places in the configuration (search the wiki).

-- Scott

For Consortium Member technical support, see;!!HoV-yHU!6Ifjsbvf2JasTU05qaQIZb8ZfbsudtXnsYtgNosoZ7-J-_oUdK_OpQpLidDw8XsgShuElA$
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list