WG: Problem with urn:oasis:names:tc:SAML:2.0:nameid-format:persistent?

philip.nemeth at pnem.at philip.nemeth at pnem.at
Sat Jan 9 14:48:20 UTC 2021


Hello Guys!

i have some Problems and hope, you can help me!
We are testing for your Applicaton IDP4 with Tomcat9 and all look good, but i get this Messages:


2021-01-09 15:23:47,561 - 10.10.26.0 - WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:334] - Profile Action AddNameIDToSubjects: Request specified use of an unsupportable identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
2021-01-09 15:23:47,571 - 10.10.26.0 - WARN [org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event occurred while processing the request: InvalidNameIDPolicy

==> idp-process.log <==
2021-01-09 15:23:47,571 - 10.10.26.0 - WARN [org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event occurred while processing the request: InvalidNameIDPolicy

we use the urn:oasis:names:tc:SAML:2.0:nameid-format:persistent - format, but i have no idea where is should looking for the Problem....


attribute-resolver.xml


<AttributeResolver
        xmlns="urn:mace:shibboleth:2.0:resolver"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
    <AttributeDefinition id="uid" xsi:type="PrincipalName">
        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
    </AttributeDefinition>
    <DataConnector id="staticAttributes" xsi:type="Static">
        <Attribute id="affiliation">
            <Value>member</Value>
        </Attribute>

saml-nameid.xml

   <util:list id="shibboleth.SAML2NameIDGenerators">

        <ref bean="shibboleth.SAML2TransientGenerator" />
        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
        p:omitQualifiers="true"
        p:format="urn:oid:0.9.2342.19200300.100.1.1"
        p:attributeSourceIds="#{ {'uid'} }" />
        <!-- Uncommenting this bean requires configuration in saml-nameid.properties. -->
        <!--
                     <ref bean="shibboleth.SAML2PersistentGenerator" />
        -->


        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
            p:attributeSourceIds="#{ {'uid'} }" />


    </util:list>

    <!-- SAML 1 NameIdentifier Generation -->
    <util:list id="shibboleth.SAML1NameIdentifierGenerators">

        <ref bean="shibboleth.SAML1TransientGenerator" />

        <!--
        <bean parent="shibboleth.SAML1AttributeSourcedGenerator"
            p:omitQualifiers="true"
            p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
            p:attributeSourceIds="#{ {'mail'} }" />
        -->

    </util:list>

</beans>

The Connection to the LDAP - Server (Microsoft AD) looks good and after hours reading the xml/codes i have no idea :-(


Greetings,
Phil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210109/9fe90a3c/attachment.htm>


More information about the users mailing list