getting desired value into nameID

IAM David Bantz dabantz at
Fri Oct 7 00:46:40 UTC 2022

SP’s metadata in my local cache, yes. And I’ve run these 3 variations:

   - all 4 policies
   - no policies
   - only the emalAddress policy

With what seems to me the appropriate combination of configs:

   - no NameIDFormat elements in the SP metadata (all removed and verified
   by log message indicating metadata specifies “[]” format(s)]
   - saml-nameid generated from eduPersonPrincipalName with emalAddress
   format, triggered by this entityID
   - relying party override for this SP entityID to set
   nameIDFormatPrecendence to emailAddress

the SAML Subject is the long opaque transient ID (with
nameid-format:transient) - that is, not using ePPN, not in emailAddress

If I remove the relying-party override for no very good reason other than
desperate variation, then NO nameID at all is in the SAML Subject.

On 06Oct2022 at 16:36:03, "Wessel, Keith via users" <users at>

> Are you hosting this entity’s metadata yourself? If so, the obvious
> solution is to pull out the other name ID formats. Then, you won’t have to
> monkey with relying party overrides. If you aren’t hosting it yourself, I’d
> ask why not? If it’s not federation metadata, and if I can’t verify a
> signature on it (which one generally can’t unless it’s coming from someone
> who really has their act together), I live with the risks of having to
> manually update it and just download it and put it directly into my local
> metadata. Then, I can manipulate as needed.
> Keith
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list