custom nameid formats and metadata-driven config

Mak, Steven makst at
Fri Aug 5 13:16:32 UTC 2022


My suspicion is that your main RP override is too broad and is applying to everything. And when you comment out your RP override for this one SP, it's defaulting to the broad override which is forcing "persistent OR transient".

Instead of completely commenting out the RP override, making an RP override for this one SP but excluding any NameIDFormatPreferences. Set it up for the same SAML2.SSO profile and see if that works.

- Steve

From: users <users-bounces at> on behalf of Les LaCroix via users <users at>
Date: Thursday, August 4, 2022 at 8:11 PM
To: Shib Users <users at>
Cc: Les LaCroix <llacroix at>
Subject: Re: custom nameid formats and metadata-driven config
There is no NameIDPolicy in the SAML requests from this service.  The vendor-generated metadata file doesn't contain any NameIDFormat, but it's not expected to work out of the box either, as it doesn't include an entityID.  They don't care what the nameid-format specifier is.  They just need the user's username returned as the saml2:Subject.

I added "<md:NameIDFormat>urn:oid:0.9.2342.19200300.100.1.1</md:NameIDFormat>" in the SP's metadata, but my understanding now is that alone is insufficient because of the nameIDFormatPrecedence that we added to our default relying party configuration years ago.

Based on<*NameID-Format-Selection__;Iw!!IBzWLUs!Unp0jKZhTHptY1vdPiIAVBZ7iAet21f55_lu76YRKcAfmtWRUsi7w_G3ZSkfnmat47YVTP6igCqgq0t1$>, I thought that adding the following to the metadata would trigger the custom format.  It does not.

         <saml:Attribute Name="<;!!IBzWLUs!Unp0jKZhTHptY1vdPiIAVBZ7iAet21f55_lu76YRKcAfmtWRUsi7w_G3ZSkfnmat47YVTP6igFD-mvyj$>"

I do, however, trigger the custom format if I instead add the following to my relying-party.xml.

        <bean parent="RelyingPartyByName"
            <property name="profileConfigurations">
                    <bean parent="SAML2.SSO.MDDriven"
                            p:nameIDFormatPrecedence="#{{'urn:oid:0.9.2342.19200300.100.1.1'}}" />

I am using an entity attribute for this SP to set encryptAssertions=false (not shown above), and I'm really hoping to figure out how to also override nameIDFormatPrecedence with an entity attribute too.

Thanks, -Les


Les LaCroix '79

Strategic Technologist

Information Technology Services

t: (507) 222-5455

On Thu, Aug 4, 2022 at 9:05 AM Mak, Steven <makst at<mailto:makst at>> wrote:

What is the service sending for a NameIDPolicy in the SAML request? If they're sending something that is not what their devs have stated they want (which is often the case), that could explain why the SP metadata route didn't work.

- Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list