custom nameid formats and metadata-driven config

Les LaCroix llacroix at
Thu Aug 4 13:48:32 UTC 2022

Peter, thanks for the quick response.  What you suggested was the first
thing I actually tried.  If I have the just NameIDFormat in the metadata
and no relying party override, I'm getting a transient subject and not the
uid-based subject.

Our default relying party profile configuration includes:

                <bean parent="SAML2.SSO.MDDriven"


'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' }}" />

This is the first time I've defined a custom format.  Is it best practice
to add custom formats to the start of the default precedence list?



*Les LaCroix '79*

Strategic Technologist

Information Technology Services

t: (507) 222-5455

On Thu, Aug 4, 2022 at 2:20 AM Peter Schober via users <users at>

> * Peter Schober via users <users at> [2022-08-04 09:16]:
> > That's covered in plain old SAML 2.0 Metadata itself:
> >
> >   <NameIDFormat>urn:oid:0.9.2342.19200300.100.1.1</NameIDFormat>
> You also don't need a relying party override to, well, override what's
> in the metadata if you can put the expected format into the metadata
> itself -- only a saml-nameid.xml configuration to generate the desired
> format and metadata that signals the same format (as per above).
> See "NameID format selection" (or something like that) in the wiki.
> -peter
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list