Shibboleth SP not able to get eppn value from Duo SSO

Cathy Scott cathystill at
Fri Jan 21 22:07:36 UTC 2022

Reaching out hoping for help with Duo SSO IdP. Working with an institution
that is converting to Duo SSO IdP. Shibboleth SP is getting eppn attribute
value with current IdP.  Struggling to get the same value from Duo SSO.

Attempted to get User Principal Name using persistent-id with this NameID
mapping. But instead of expected value like JJONES, the result was a long
string of letters and numbers.

    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
        <AttributeDecoder xsi:type="NameIDAttributeDecoder"
formatter="$Name" defaultQualifiers="true"/>

A Duo software engineer pointed me to

*8.3.7 Persistent IdentifierURI:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistentIndicates that the
content of the element is a persistent opaque identifier for a principal
that is specific toan identity provider and a service provider or
affiliation of service providers. Persistent name identifiersgenerated by
identity providers MUST be constructed using pseudo-random values that have
nodiscernible correspondence with the subject’s actual identifier (for
example, username). The intent is tocreate a non-public, pair-wise
pseudonym to prevent the discovery of the subject’s identity or activities.*

I have successfully integrated authentication with other IdPs using
persistent-id. In fact, I just completed a similar Azure IdP integration
with persistent-id as the attribute. Shibboleth session summary during that
implementation showed real value and not a pseudo-random value.

There is no way to currently transform attributes with Duo SSO. I'm not an
expert on the IdP side of things and would welcome any advice.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list