mace:shibboleth:1.0:nameIdentifier in 4.0.1 / SAML 2 ?

Christopher Bongaarts cab at
Fri Jan 8 18:59:14 UTC 2021

On 1/8/2021 11:31 AM, Cantor, Scott wrote:
>>     Several external services uses this nameid, I will spend a lot of energy making every parties modify their SP.
> I have never heard of anything that*needs*  a transient NameID in any Format. That doesn't really make a great deal of sense.

Speaking of not making much sense, we had a pair of SPs that required 
(yes really) a NameIDFormat of transient but with a "real" value (our 
net ID). Both had invalid entity IDs (some text plus a GUID) as well, to 
round out the brokeneity.  Sort of the opposite of what's being asked here.

I think one could work around the original request by defining a SAML2 
NameID with the expected format string, and using an attribute for the 
value from a computedId attribute. You might be in trouble if they need 
to do any backchannel functions, though.

%%  Christopher A. Bongaarts   %%  cab at          %%
%%  OIT - Identity Management  %%  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list