Request specified use of an unsupportable identifier format: urn:mace:shibboleth:1.0:nameIdentifier

Cantor, Scott cantor.2 at
Wed Jun 9 18:18:01 UTC 2021

On 6/9/21, 2:14 PM, "users on behalf of Mak, Steve" <users-bounces at on behalf of makst at> wrote:

>    Maybe others can correct me, but I believe the IdP's nameID format priority list goes like this:
>    1. relying party override
>    2. SAML request requirement
>    3. SP metadata preference list - as long as "unspecified" is not present

The first two are backwards. The SAML standard requires that the request take precedence and since you control the use of Formats via data release rules anyway, there's no particular need to allow the IdP operator to block requests that carry a requirement like we had to do for AuthnContext. It doesn't cause anything to break that doesn't just break anyway.

>    Your cayuse integration is hitting the 1.0 NameID at #2. You can either get cayuse to fix their side or you can
> override with #1.

Doesn't work, the standard doesn't allow it.

-- Scott

More information about the users mailing list