Request specified use of an unsupportable identifier format: urn:mace:shibboleth:1.0:nameIdentifier
Cantor, Scott
cantor.2 at osu.edu
Wed Jun 9 18:18:01 UTC 2021
On 6/9/21, 2:14 PM, "users on behalf of Mak, Steve" <users-bounces at shibboleth.net on behalf of makst at upenn.edu> wrote:
> Maybe others can correct me, but I believe the IdP's nameID format priority list goes like this:
>
> 1. relying party override
> 2. SAML request requirement
> 3. SP metadata preference list - as long as "unspecified" is not present
The first two are backwards. The SAML standard requires that the request take precedence and since you control the use of Formats via data release rules anyway, there's no particular need to allow the IdP operator to block requests that carry a requirement like we had to do for AuthnContext. It doesn't cause anything to break that doesn't just break anyway.
> Your cayuse integration is hitting the 1.0 NameID at #2. You can either get cayuse to fix their side or you can
> override with #1.
Doesn't work, the standard doesn't allow it.
-- Scott
More information about the users
mailing list