Shibboleth IDP (V4.2.1) and Neod/Neogov setup

Mak, Steven makst at
Mon Nov 14 20:38:33 UTC 2022

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent (their sp metadata) is NOT equal to urn:oasis:names:tc:SAML:1.1:nameid-format:persistent (your saml-nameid.xml)

From: users <users-bounces at> on behalf of Nadim El-Khoury via users <users at>
Reply-To: Shib Users <users at>
Date: Monday, November 14, 2022 at 3:36 PM
To: Shib Users <users at>
Cc: Nadim El-Khoury <nel-khoury at>
Subject: Shibboleth IDP (V4.2.1) and Neod/Neogov setup

Hi Everyone,

We are trying to set up Single Sign-On between us and Neod/Neogov and it is not working.

We dynamically consume their Metadata through InCommon, and they require that the SAML NameID be persistent and in the email address format.

Their metadata is below.

<md:EntityDescriptor entityID="<;!!IBzWLUs!S_fGE1Gts4gC_Mk8c6znViv55-734E56cCkBw5RNRfZWgAtpA6Z-svDerlFHANqUW2rm8eYHFHXp_YLR$>" ID="_697e849a-7a17-43e7-8034-fcae23e2767d">
<md:SPSSODescriptor ID="_8153bed2-27cb-4e3a-b2f1-664a2325f71e" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="<;!!IBzWLUs!S_fGE1Gts4gC_Mk8c6znViv55-734E56cCkBw5RNRfZWgAtpA6Z-svDerlFHANqUW2rm8eYHFN2sOuZ_$>" index="0" isDefault="true"/>
<md:AttributeConsumingService index="1" isDefault="true">
<md:ServiceName xml:lang="en">Neogov SSO</md:ServiceName>
<md:RequestedAttribute isRequired="true" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="mail"/>

We see the following message in the SAML tracer file and the logs.

2022-11-14 15:15:48,830 - - WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:334] - Profile Action AddNameIDToSubjects: Request specified use of an unsupportable identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

2022-11-14 15:15:48,834 - - WARN [org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event occurred while processing the request: InvalidNameIDPolicy

We did not know whether we needed to uncomment the following line in saml-nameid.xml or create a SAML2AttributeSourceGnerator that I am including below.


        <ref bean="shibboleth.SAML2PersistentGenerator" />


<bean parent="shibboleth.SAML2AttributeSourcedGenerator"



                p:attributeSourceIds="#{ {'mail'} }"

                p:activationCondition-ref="PersistentMailCondition" >


Your help or direction is very much appreciated.



"Twenty years from now you will be more disappointed by the things that you didn't do than by the ones you did do. So throw off the bowlines. Sail away from the safe harbor. Catch the trade winds in your sails. Explore. Dream. Discover." Mark Twain
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list