Configuring shibboleth SP NameID format persistent

Cantor, Scott cantor.2 at
Tue Jun 16 19:43:11 UTC 2020

On 6/16/20, 2:49 PM, "users on behalf of Feinstein, Moses" <users-bounces at on behalf of moses.feinstein at> wrote:

> Based on your response below, possibly  you can clarify for me the following:

The SP, rightly or wrongly, claims it requires a SAML 2 persistent NameID. Your configuration is producing a Format constant with 1.1 in the string instead of 2.0, and they don't match, ergo, error. What you're producing is wrong so you should fix the IdP.

There's no place in the IdP configuration that requires supplying that constant, it's built-in to the persistent NameID generation plugins that are present and commented by default. So I don't know why it's there or where, but it's incorrect because of a cut and paste error.

> Q1.  Does the vendor authentication request looks valid to you? Even though my shibboleth IdP is configured to reply
> with "persistent" nameid format,

Yes, it's valid (which is not the same as "right", because I doubt they actually require it).

No, the IdP is configured to produce a Format that doesn't match the standard or what the SP is requesting. Close doesn't match.

> Q2.  can provide any documentation reference which can accomplish this type of request in Shibboleth SP?

SP wiki -> search for NameIDFormat

Set it as a content setting anywhere they apply (<SSO> element, RequestMap, Apache via ShibRequestSetting), or redirect to /Shibboleth.sso/Login?NameIDFormat=<format>

--- Scott

More information about the users mailing list