Request specified use of an unsupportable identifier format: urn:mace:shibboleth:1.0:nameIdentifier

Cantor, Scott cantor.2 at
Wed Jun 9 18:14:16 UTC 2021

On 6/9/21, 2:00 PM, "users on behalf of Jason Rotunno" <users-bounces at on behalf of jrotunno at> wrote:

>    Ah, ok. Thanks for the info. I'd like to explain the issue to the SP but it sounds like
> urn:mace:shibboleth:1.0:nameIdentifier is the name Shib uses for that format. Is there platform-agnostic
> terminology to refer to that request format that the SP operators would (hopefully) recognize?

There is no SAML 1.1 equivalent, which doesn't matter because this isn't SAML 1.1. The SAML 2.0 transient format identifier is the other default format in the saml-nameid.propetties configuration and is documented in the standard.

There is no reason why any SP should ever *require* either format and asking/demanding that it be used is a bug. It makes no sense to demand somebody send you an identifier that's intentionally non-persistent. 

>    Also, just out of curiosity, since there are no required Name ID formats in the SP's metadata, how does the
> IdP know that it's requiring urn:mace:shibboleth:1.0:nameIdentifier?

The NameIDPolicy element in Its request is forcing the IdP the use the requested format or fail. Failure in this case is caused by the inability to supply a SAML 2.0 NameID corresponding to a SAML 1.1-only Format.

In short:

a) SPs need to STOP using NameIDPolicy/@Format
b) Any that did should never be asking for transient, in either SAML version.
c) Even if they do, you can't ask for a SAML 1.1 Format in a SAML 2.0 request.

-- Scott

More information about the users mailing list