By: Pradeep Vara user 04 Oct 2018 at 10:22 p.m. CDT

4 Responses
Pradeep Vara gravatar
Our application acts as as an SP and we are using GLUU as its IDP Here "email" is used as the subject during the authn request to validate the user. How should we define the nameID format as email address in 3.1.4 Should we create a new custom attribute for email or can we use the custom attributes provided from GLUU When i created a custom namid provided from GLUU ui (under "Configure Custom NameId") , with "source attribute" as "Email" , name as "Email_Address" and "NameId Type" as "emailAddress" , i am getting below error during assertion Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/></saml2p:StatusCode> Need to set the email as below name format and nameIDformat Ex: 'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified', 'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',

By Mohib Zico Account Admin 05 Oct 2018 at 1:58 p.m. CDT

Mohib Zico gravatar
>> attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified', See... 'emailAddress' is not 'unspecified' type. There are basically three types of popular nameIDs there: (1) emailAddress type (2) persistent type (3) unspecified type. 'unspecified' type nameID is deprecated from Shibboleth v3 code; so we did same for our Gluu Server v3. 'InvalidNameIDPolicy' means ... IDP can't produce nameID which is 'specified' in SP's metadata. Generally, when such error comes: we do two things: - Try to configure nameID properly in Gluu Server. - Try to remove 'unspecified' type nameID in SP's metadata and put either 'emailAddress' type or 'persistentID' type nameID format there in that metadata.

By Pradeep Vara user 06 Oct 2018 at 6:43 a.m. CDT

Pradeep Vara gravatar
Thank you for the reply, Can you please give me an example how to configure nameID format in GLUU server The below is the Authn request going from our application Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/> So here the name ID format is emailAddress On the GLUU Server i have configured name ID as below: Source Attribute : Email Name: mail NameID Type: emailAddress But still i am getting 'InvalidNameIDPolicy'

By Pradeep Vara user 09 Oct 2018 at 12:11 p.m. CDT

Pradeep Vara gravatar
Can anyone help here in configuring the custom name ID to emailAddress in GLUU. During assertion i am getting error as Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy Configuration in attribute-resolver.xml: <resolver:AttributeDefinition xsi:type="ad:Simple" id="intersightNameID" sourceAttributeID="intersightEmail"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress" /> </resolver:AttributeDefinition> Configuration in /opt/shibboleth-idp/conf/saml-nameid.xml: <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" p:attributeSourceIds="#{ {'intersightNameID'} }"/>

By Mohib Zico Account Admin 15 Oct 2018 at 4:50 a.m. CDT

Mohib Zico gravatar
There is another ticket on same issue from same user. Will attend that new ticket. Closing this one.