Nameid in clear text

Mathew, Sunil smathew at
Mon Nov 2 21:02:50 UTC 2020


When I sent encrypted nameid to SP, it is creating a new user every time I login with an account because SP tries to match by the nameid. So I need to send the nameid in clear text.

Here is my attribute-filter.xml:


        <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="" />

         <afp:AttributeRule attributeID="quickbase_federated_id">

              <afp:PermitValueRule xsi:type="basic:ANY" />



Here is my attribute-resolver.xml:
    <resolver:AttributeDefinition xsi:type="ad:PrincipalName" id="quickbase_federated_id">
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="uid" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="uid" friendlyName="uid" />

Here is my relying-party.xml:
        <bean parent="RelyingPartyByName" c:relyingPartyIds="">
            <property name="profileConfigurations">
                    <bean parent="SAML2.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
                    <bean parent="SAML2.SSO" p:encryptAssertions="false" p:encryptNameIDs="never" />

Here is the SP metadata:
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                     index="1" />


For other SPs, I used to comment out this line in relying-party.xml in order to send nameid in clear text:
<bean parent="SAML2.SSO" p:encryptAssertions="false" p:encryptNameIDs="never" />

Now if I do that I am getting the following error:
2020-11-02 16:00:51,838 - WARN [org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver:221] - Validation failure: Failed to resolve both a data and a key encryption credential
2020-11-02 16:00:51,838 - WARN [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:343] - Profile Action PopulateEncryptionParameters: Resolver returned no EncryptionParameters

Can you please let me know how I can send nameid as a clear text?

Thanks for your help.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list