Request specified use of an unsupportable identifier format: urn:mace:shibboleth:1.0:nameIdentifier

Jason Rotunno jrotunno at swarthmore.edu
Wed Jun 9 15:56:35 UTC 2021 

I'm attempting to add a new SP to our Shib 4 instance but I keep running
into the error referenced in the subject:

<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://signin.app.cayuse.com/saml/SSO"
Destination="https://our.idp.edu/idp/profile/SAML2/Redirect/SSO"
ID="CAYUSE_ec3bdf1a-0d99-49cf-bfc4-0945d16b572c"
IssueInstant="2021-06-09T15:04:36Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer>https://signin.app.cayuse.com/saml/metadata</saml:Issuer>
    <samlp:NameIDPolicy AllowCreate="true"
Format="urn:mace:shibboleth:1.0:nameIdentifier"/>
</samlp:AuthnRequest>
2021-06-09 11:04:38,288 - WARN
[org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:334] - [a.b.c.d]
- Profile Action AddNameIDToSubjects: Request specified use of an
unsupportable identifier format: urn:mace:shibboleth:1.0:nameIdentifier
2021-06-09 11:04:38,290 - WARN
[org.opensaml.profile.action.impl.LogEvent:101] - [a.b.c.d] - A non-proceed
event occurred while processing the request: InvalidNameIDPolicy


The SP is an InCommon member so I'm using their metadata that's in the
InCommon feed. We contacted their support and said that we need to
configure the NameID and added:

The following is a list of attributes we support:

username-mapping-attr-names: |
      urn:oid:0.9.2342.19200300.100.1.1,
      urn:oid:1.3.6.1.4.1.5923.1.1.1.6,
      urn:oid:1.3.6.1.4.1.5923.1.1.1.10,
      urn:mace:dir:attribute-def:uid,
      urn:mace:dir:attribute-def:eduPersonPrincipalName,
      urn:oasis:names:tc:SAML:attribute:subject-id,
      urn:oasis:names:tc:SAML:2.0:nameid-format:persistent,
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name,
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier,
      http://schemas.microsoft.com/identity/claims/objectidentifier,
      urn:oid:1.3.6.1.4.1.5923.1.1.1.2

# Look for email in the following SAML attrs (if username not found), in
order of first listed to last. CSV attr-names, whitespace OK.
email-mapping-attr-names: |
      urn:oid:0.9.2342.19200300.100.1.3,
      urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress,
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress


I was hoping that resolving it would be as simple as configuring the NameID
in saml-nameid.xml, which I did as follows (uid is
urn:oid:0.9.2342.19200300.100.1.1, one of the attributes they said they
support):

<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
    p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
    p:attributeSourceIds="#{ {'uid'} }">
    <property name="activationCondition">
        <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="
https://signin.app.cayuse.com/saml/metadata" />
    </property>
</bean>


I've successfully configured other SPs to use
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent in the same way, but
unfortunately, I'm still running into the problem. The NameID format
urn:mace:shibboleth:1.0:nameIdentifier in the error is throwing me off --
I've never encountered it before and while I did find some posts by others
about this, I'm not quite sure what to do with the responses. Can anyone
perhaps provide some insight that might help me get this working?

Thanks!
Jason

-- 

Jason Rotunno
System & Security Administrator
Swarthmore College
500 College Ave
Swarthmore, PA 19081
610.328.8505

*VERIFY before you click!!*
  - Attackers make their emails look like they come from someone they don't.
  - Attackers make links look like they go to websites they don't.
  - Attackers disguise malware as receipts, invoices, faxes, etc.

Forward suspicious emails to phishing at swarthmore.edu.


<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon>
Virus-free.
www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210609/7a3d460a/attachment.htm>

More information about the users mailing list