mace:shibboleth:1.0:nameIdentifier in 4.0.1 / SAML 2 ?

Cantor, Scott cantor.2 at
Thu Jan 7 18:00:33 UTC 2021

On 1/7/21, 12:36 PM, "users on behalf of Louis Chanouha" <users-bounces at on behalf of chanouha at> wrote:

>    I'm experiencing issues with Shibboleth 4. It doesn't accept "urn:mace:shibboleth:1.0:nameIdentifier" namePolicy.

Not should it, that's a SAML 1.1 identifier defined by the project in the old days and there is no NameIDPolicy concept in SAML 1.1, nor even a request message. There is no scenario in which it would ever appear in any SAML 2.0 exchange.

Secondly, you don't "ask" for transient, it's a default/fallback used when nothing is needed and in fact has no purpose in SAML 2.0 apart from logout support, which SAML 1.1 did not have either. Its existence in SAML 1.1 was a Shibboleth invention to support attribute queries, which are themselves no longer necessary or used in most cases.

-- Scott

More information about the users mailing list