mace:shibboleth:1.0:nameIdentifier in 4.0.1 / SAML 2 ?

Louis Chanouha chanouha at
Fri Jan 8 09:02:02 UTC 2021

Thanks for your response ! 

Is there still a way to make Shibb respond
to this nameid request, even with a "ugly hack" ? 

Several external
services uses this nameid, I will spend a lot of energy making every
parties modify their SP. 

Thanks very much 


Le 2021-01-07
19:00, Cantor, Scott a écrit :

> On 1/7/21, 12:36 PM, "users on behalf
of Louis Chanouha" <users-bounces at on behalf of
chanouha at> wrote:
>> I'm experiencing issues with
Shibboleth 4. It doesn't accept "urn:mace:shibboleth:1.0:nameIdentifier"
> Not should it, that's a SAML 1.1 identifier defined by
the project in the old days and there is no NameIDPolicy concept in SAML
1.1, nor even a request message. There is no scenario in which it would
ever appear in any SAML 2.0 exchange.
> Secondly, you don't "ask" for
transient, it's a default/fallback used when nothing is needed and in
fact has no purpose in SAML 2.0 apart from logout support, which SAML
1.1 did not have either. Its existence in SAML 1.1 was a Shibboleth
invention to support attribute queries, which are themselves no longer
necessary or used in most cases.
> -- Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list