Fwd: Installing Shibboleth idp3 with hubspot as sp: Getting Saml response status code InvalidNameIDPolicy

Youssef Ait Laydi youssef.aitlaydi at gmail.com
Fri Jun 4 21:20:36 UTC 2021

Thank you for you feedback.
I commented this line at saml-nameid.properties:
#idp.nameid.saml2.default =urn:oasis:names:tc:SAML:1.1:na

I added this configuration on  *saml-nameid.xml*:

*<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
  p:attributeSourceIds="#{ {'mail'} }" /> *

And this configuration on *attribute-resolver.xml*:

*<AttributeDefinition id="mail" xsi:type="PrincipalName">
<AttributeEncoder xsi:type="SAML1String"
name="urn:mace:dir:attribute-def:mail" />        <AttributeEncoder
xsi:type="SAML2String" name="urn:oid:"
friendlyName="mail" />    </AttributeDefinition>*

And this configuration on *relying-party.xml*

*<util:list id="shibboleth.RelyingPartyOverrides">       <bean
        <property name="profileConfigurations">                <list>
              <bean parent="SAML2.SSO"
p:encryptAssertions="false" />                </list>
</property>       </bean>    </util:list>*

But I got this error on *idp-process.log:*
- Attribute sources [mail] did not produce a usable identifier
WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:337] -
Profile Action AddNameIDToSubjects: Request specified use of an
unsupportable identifier format:

*I don't know how to get attributeSourceIds?*
I have this data on the *idp-process.log*:

WARN [org.opensaml.saml.common.binding.SAMLBindingSupport:93] - Relay state
exceeds 80 bytes: {"loginEmail":"test_sso at example.com
INFO [Shibboleth-Audit.SSO:275] -

Thank you in advance

Am Fr., 4. Juni 2021 um 17:00 Uhr schrieb Peter Schober <
peter.schober at univie.ac.at>:

> * Peter Schober <peter.schober at univie.ac.at> [2021-06-04 17:48]:
> > That means your IDP is not configured to produce NameIDs of that format.
> This.
> > > Note that I didn't change saml-nameid.xml but I
> > > changed saml-nameid.properties:
> > > idp.nameid.saml2.default =
> > > urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
> >
> > A *very* bad idea (setting that as default), but also quite obviously
> > it didn't take, otherwise the IDP wouldn't be throwing that error?
> I missed that changing the default is no replacement for telling the
> IDP what to put into the NameID. I.e., you'd still need to configure
> saml-nameid.xml appropriately.
> -peter
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net

Software Engineer
Oracle Certified Professional Java SE 6 Programmer
Tel: 0674-931593
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210604/dd7bf272/attachment.htm>

More information about the users mailing list