Support for X509SubjectName Name ID

Ullfig, Roberto Alfredo rullfig at
Thu May 14 15:23:34 UTC 2020

        <bean parent="RelyingPartyByName" c:relyingPartyIds="">


Roberto Ullfig - rullfig at
Systems Administrator
Enterprise Architecture and Development | ACCC
University of Illinois - Chicago
From: users <users-bounces at> on behalf of Cantor, Scott <cantor.2 at>
Sent: Thursday, May 14, 2020 9:51 AM
To: Shib Users <users at>
Subject: Re: Support for X509SubjectName Name ID

On 5/14/20, 10:24 AM, "users on behalf of Ullfig, Roberto Alfredo" <users-bounces at on behalf of rullfig at> wrote:

> Ok, releasing fixed it. Thanks! Their azure application is still failing - maybe you can give some insight on the matter?

That's why I wouldn't have done it at this stage. There is virtually no chance they *require* that Format. Most NameID-consuming vendors have no idea what a Format is, they ignore the field entirely. Any matching ID value will usually work. I'd roll back what you did for now and focus on the primary problem first.

> "We also had to set the Outgoing Claim Type for SAM-Account-Name to "Name Id".  Can you try setting the Outgoing
> Claim Type to "Name Id"?

I suspect they're trying to suggest that you need to pass them a NameID and not an Attribute, but that's not SAML terminology.

> Do you think I'd have to create a new attribute called Name ID? I already created one called SAM-Account-Name and am
> releasing that.

No, I don't. They cobbled togther some bit of insanity from the terms they think they know and just mashed them together.

You can't guess what they want, so if they don't know, that's going to be an impasse until they find the one person they probably have on staff that actually does know.

What I normally do if the NameID approach doesn't work is to pass what I normally would, and clearly articulate to the other party what the names of my Attributes are and ask that they simply map them in or accept the NameID (using a standard/appropriate Format). Then I wait for a response.

I doubt I use whatever this is because I have very little Azure exposure, but the other thing is: don't defend these guys by keeping them anonymous. Identifying the application allows somebody who's had to make it work to weigh in and describe what was required. (That assumes it's not just some local/custom thing, but if it were you should have more access to them to get them to do it correctly.)

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list