custom nameid formats and metadata-driven config

Les LaCroix llacroix at
Thu Aug 4 06:08:52 UTC 2022

I am defining a custom name format.  Things work when there is an override
in relying-parties.xml, but I've been unable to get it to work with a
metadata-driven configuration.  I'm hoping someone can spot the blunder in
my config.

I have a new SP that wants a saml2:Subject NameID sourced from "uid".
Referring to

, I created a custom generator in saml-nameid.xml with a format using the
URI name of uid:

        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
                  p:attributeSourceIds="#{ {'uid'} }" />

aacli verifies that I am releasing uid to the SP.  The following override
in relying-parties.xml produces the output that includes a
saml2:Subject like I expect:

        <bean parent="RelyingPartyByName"
            <property name="profileConfigurations">
                    <bean parent="SAML2.SSO.MDDriven"

p:nameIDFormatPrecedence="#{{'urn:oid:0.9.2342.19200300.100.1.1'}}" />

When I comment that out and put the following in the SP's metadata file,
the aacli output no longer includes a saml2:Subject:

         <saml:Attribute Name=""


idp-process.log reports that it's loading the metadata file without
errors.  aacli shows that uid is still being released.  What am I messing

Thanks, -Les

ps I am running IdP 4.1.6.


*Les LaCroix '79*

Strategic Technologist

Information Technology Services

t: (507) 222-5455
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list