saml2 response missing <saml2:Subject> tag

Pablo Vidaurri psvidaurri at
Mon Mar 30 09:25:37 EDT 2020

There is nothing unusual in the logs except for the following for SP's
whose metadata has NameId as unspecified:
Ignoring NameIDFormat metadata that includes the 'unspecified' format.

using Firefox's saml tracer, the saml response as no subject tag in it
unless it is part of the encoded EncryptedData tag.

I did update c14n/attribute-sourced-subject-c14n-config.xml to use uid as
the attribute to use (default altuid) and I am releasing uid in attr
resolver/filter but still no subject tag in the response.

To clarify, in op I mentioned errors on the saml response. It is the SP is
saying they are getting errors on their end while processing the saml
response. The response does contain a successful status and
encryptedAssertion tag:

<saml2p:Status> <saml2p:StatusCode Value=
"urn:oasis:names:tc:SAML:2.0:status:Success" /> </saml2p:Status>


On Mon, Mar 30, 2020 at 7:20 AM Cantor, Scott <cantor.2 at> wrote:

> > Hi, I'm using shib idp 3.4.6. I have several sp's working fine. We are
> bringing in
> > a new SP but getting errors on the saml response. They are claiming the
> issue is
> > due to lack of <saml2:Subject> in the response. How is this this tag
> enabled and
> > configured in shib?
> There is nothing the IdP would generate without a Subject element unless
> it were an error response.
> Did you check the logs with appropriate tracing on to confirm this?
> -- Scott
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list