I wonder why you need any other profile. Which SP require that?

I required that for kronos. In that, I have to pass username as NameID without encryption.

>> I have to pass username as NameID without encryption. I think you can do it with SAML2SSO profile/encryptAssertion==never value. Configuring a nameID based on UID attribute is pretty straight forward, please check the section of our doc how you can configure a NameID.

Yes, I tried that but still I am getting nameId in encrypted Here is the response I want to pass. >> <saml2p:Response >> Destination="https://sp-here/wfc/logonESS_SSO" >> ID="_05ba5ba9448be7de75cdebc878bbd97d" >> IssueInstant="2017-01-04T21:26:03.850Z" Version="2.0" >> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> >> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion”>idp-here</saml2:Issuer> >> <ds:Signature >> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> >> <ds:SignedInfo> >> <ds:CanonicalizationMethod >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> >> <ds:SignatureMethod >> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> >> <ds:Reference >> URI="#_05ba5ba9448be7de75cdebc878bbd97d"> >> <ds:Transforms> >> <ds:Transform >> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> >> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> >> <ec:InclusiveNamespaces PrefixList="xsd" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces> >> </ds:Transform> >> </ds:Transforms> >> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod> >> <ds:DigestValue>JxUltIs20c/mhD6UZcpN2U4Df+BtQuNUqZl4p5cA5dA=</ds:DigestValue> >> </ds:Reference> >> </ds:SignedInfo> >> <ds:SignatureValue> >> WP8Iaf0xOFzj0Gk+QO+rrAeYPrjn1DFjzagl8rS15ykDUCUA4C0H5D1DVcj9BL43Z+KT+2WPZW5Y >> scp0EZDg+rXpU/6h3qL6alvbUljCnOojDa2NtX5diShQHb8ClPhD0vDi5VBA8KeZ5JzgPqKSWL64 >> FJYeDhQLBWXDi4qSyCC4NdvZ6WvSUV7CtXOAXe791Uzp+hQ/pM9FKlfm01WIH9Cd/6TPwcjrtkXU >> QhXoTMvPQVPMBnHVw1hLLVh2lxUcrHe5D3OvEVwY3tfoSBuz5QxXxxKTI7XJFCQ5VreM7BjLGD/f >> 6P3VakU4RrrbJTpwx6u3hS7v4IEOu+qI6HGu+Q== >> </ds:SignatureValue> >> <ds:KeyInfo> >> <ds:X509Data> >> <ds:X509Certificate> >> [……..] >> </ds:X509Certificate> >> </ds:X509Data> >> </ds:KeyInfo> >> </ds:Signature> >> <saml2p:Status> >> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></saml2p:StatusCode> >> </saml2p:Status> >> <saml2:Assertion ID="_02727147fca88cb6b03bc1fe34ef25f4" >> IssueInstant="2017-01-04T21:26:03.850Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> >> <saml2:Issuer>idp-here</saml2:Issuer> >> <saml2:NameID>kevin</saml2:NameID> >> <saml2:Subject> >> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> >> <saml2:SubjectConfirmationData Address="10.136.1.241" >> NotOnOrAfter="2017-01-04T21:31:03.862Z" Recipient=“sp-here"/> >> </saml2:SubjectConfirmation> >> </saml2:Subject> >> <saml2:Conditions NotBefore="2017-01-04T21:26:03.850Z" NotOnOrAfter="2017-01-04T21:31:03.850Z"> >> <saml2:AudienceRestriction> >> <saml2:Audience>entity-id-here</saml2:Audience> >> </saml2:AudienceRestriction> >> </saml2:Conditions> >> <saml2:AuthnStatement AuthnInstant="2017-01-04T21:26:03.621Z" SessionIndex="_79ac04e21ca4c9ae04aca42e3629dc94"> >> <saml2:SubjectLocality Address="10.136.1.241"></saml2:SubjectLocality> >> <saml2:AuthnContext> >> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> >> </saml2:AuthnContext> >> </saml2:AuthnStatement> >> <saml2:AttributeStatement> >> <saml2:Attribute >> FriendlyName=“attribute-name" >> Name="urn:oid:1.3.6.1.4.1.4995.2.200.10.1.5.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> >> <saml2:AttributeValue >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string”>some-value</saml2:AttributeValue> >> </saml2:Attribute> >> </saml2:AttributeStatement> >> </saml2:Assertion> >> </saml2p:Response> But I am getting <saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://gluu.xxx.com/idp/shibboleth" SPNameQualifier="https://secure.entertimeonline.com">AAdzZWNyZXQx/jmykNfiExZuWZDxBbkjiXesVZhy8t/VNBHKAS9gG16TLaemKaKXTH/3UxzUzKku1Sz+7PTnFPhBNkZpzgPAd6Yf7Xr3gn+lYF0UeIXk2JTkVOoXEzZeVp+YqU4BX7qky2lOOJzV</saml2:NameID>

Your assertion is pretty clear to me; not encrypted. Though the NameID which is showing is( `<saml2:NameID>kevin</saml2:NameID>` ) wrong there. NameID assertion cannot be like that. Your NameID configuration isn't correct and from above "<saml2:NameID>...</saml2:NameID" snippet I can tell that.. it's just releasing UID there. >> But I am getting <saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" Yes, it's default in Shibboleth v3; if you don't release any NameID; it releases transientID by default.

Okay, I followed this [doc](https://gluu.org/docs/ce/3.1.0/admin-guide/attribute/#defining-nameid) And I put my custom nameId inside ``` #foreach($attribute in $......) #if( ! ($attribute.name.equals('transientId') or $attribute.name.equals('testcustomattribute') ) ) <resolver:AttributeDefinition id="testcustomattribute" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="testcustomattribute"> <resolver:Dependency ref="siteLDAP"/> <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:email" /> </resolver:AttributeDefinition> #end #end ```

Configuration is wrong and incomplete.

Sorry I received doc from Kronos and provided sample response: ``` <?xmlversion="1.0"encoding="UTF-8"?><samlp:Responsexmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="RNPWBRGOGEZZYSLKZKTKUKOIAXPJNQRAMOWCSIPH"IssueInstant="2013-03-03T19:07:11.975Z"Version="2.0"><saml:Issuerxmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">[[IDP_ENTITY_ID]]</saml:Issuer><ds:Signaturexmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethodAlgorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethodAlgorithm><ds:SignatureMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethodAlgorithm><ds:ReferenceURI="#RNPWBRGOGEZZYSLKZKTKUKOIAXPJNQRAMOWCSIPH"><ds:Transforms><ds:TransformAlgorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:TransformAlgorithm><ds:TransformAlgorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespacesxmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"PrefixList="ds saml samlp"></ec:InclusiveNamespacesxmlns:ec></ds:Transform></ds:Transforms><ds:DigestMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethodAlgorithm><ds:DigestValue>Pq/3GDC3zbxiO9ek/J//SYHY840=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>a12twr1ip873lGjM76VfnGBJCG13J99N/ef28Pc8lnb81xCb8KcmClcvSqLtEAs0J8BF+ZuqYsZ1EkpSbGMAEph6dbhE5XkfjSyBwhVWFS0OlOo/RJsaXi85E8Q9DJzmSRaadYr9CMom59TAHfVUrKAvkk/wEt4SyTJnuUKdMAU=</ds:SignatureValue></ds:Signature><samlp:Status><samlp:StatusCodeValue="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCodeValue></samlp:Status><saml:Assertionxmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"ID="KLEPEIPQAFALFWJEWYWJJYUCQGKQOLYMRVSXEACB"IssueInstant="2013-03-03T19:07:11.975Z"Version="2.0"><saml:IssuerFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">[[IDP_ENTITY_ID]]</saml:Issuer><saml:Subject><saml:NameID>[[USERNAME]]</saml:NameID><saml:SubjectConfirmationMethod="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationDataNotOnOrAfter="2013-03-03T19:10:11.975Z"Recipient="https://secure.saashr.com/ta/[[COMPANY_SHORT_NAME]].login-saml"></saml:SubjectConfirmationDataNotOnOrAfter></saml:SubjectConfirmation></saml:Subject><saml:ConditionsNotBefore="2013-03-03T19:04:11.975Z"NotOnOrAfter="2013-03-03T19:10:11.975Z"><saml:AudienceRestriction><saml:Audience>https://secure.saashr.com</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatementAuthnInstant="2013-03-03T19:07:11.975Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response> ``` Can you guide me, How can I acheive that through Gluu 3.1.0

If Kronos supplied this sample assertion to you then they are doing it wrong. `saml:Subject><saml:NameID>[[USERNAME]]</saml:NameID>` .... this cannot be correct assertion for any NameID. >> Can you guide me, How can I acheive that through Gluu 3.1.0 It's not possible to guide everything in community support but we are trying our best. - Check out how to create a custom name in [doc](https://gluu.org/docs/ce/3.1.1/admin-guide/attribute/#defining-nameid) - Search support portal to find out questions on nameID [ screenshot attached ] - Let me give you a hint: - You need to ask SP what kind of nameID they require. - If it's 'UID' based NameID then.. you need to configure your nameID based on that value [ i.e: sourceAttributeID = "uid" ] - Finally check the Shibboleth v3 [doc](https://wiki.shibboleth.net/confluence/display/IDP30/NameIDGenerationConfiguration) to konw the ins and outs of SAML NameID

Hello mohib zico, Links you provided to me were useful to understand shibboleth ID3. And achieved want I want using SAML2SSO itself. Thanks