Within our company we've setted up a testlab for Gluu Server. In the testlab we're trying to connect a SAML Service Provider to GLUU. However we encounter some problems with the NameID format. The Service provider expects a NameID=emailaddress@gmail.com but Gluu sends instead of the email adres a strange value "_7301855dbf4bf5a9520629e8d456e796" to the service provider. Here are the screenshots of our Gluu and Service provider configuration and the SAML respons. Hope you can help us out! **SAML respons** <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://traxiontest.okta.com/auth/saml20/test" ID="_a4f4bca9f09b59b3e59f35adb294785f" InResponseTo="id4994358162546611758523684" IssueInstant="2015-04-02T13:00:57.566Z" Version="2.0" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >https://ce.gluu.info/idp/shibboleth</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#_a4f4bca9f09b59b3e59f35adb294785f"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>fSDBxrRn1AJiuy6WOmlOLC7/WO4=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>qX+IHmXnKp2pDbr0kukctGGmjGVIU6Sst466WiDmzdMruIRhs4IimIoGu/XdWaQtL1CYkbIqg1qj6n7UvNSFEO1eDcOQohPFGCO0R40caoETwbL5eOH2oZ8AkGn8qr2YbDpj/quvwluKESelnjsOzU6v0qIS90r0eABqG5y+VpiH90a/HPCeJTO+LpXY78YpCikpOOCEYNBElmviizIqXR3QjeWDm6AWviWY8Wg3btKqrR8J2ElaUwVhhKYMVHP3Qicl1xeJGUVrA76dfBXfewhaWksyMqGB1XV2D4sgu9+j4lltsBXtyKhBYtNZbgofCSpffn3x+2LaM1QYVQSjBA==</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDHDCCAgQCCQDeKFaEs+kWtTANBgkqhkiG9w0BAQsFADBQMRUwEwYDVQQDDAxjZS5nbHV1Lmlu Zm8xEDAOBgNVBAoMB1RyYXhpb24xCzAJBgNVBAYTAk5MMQswCQYDVQQIDAJHTDELMAkGA1UEBwwC V0IwHhcNMTUwMzI2MTE1OTE5WhcNMTYwMzI1MTE1OTE5WjBQMRUwEwYDVQQDDAxjZS5nbHV1Lmlu Zm8xEDAOBgNVBAoMB1RyYXhpb24xCzAJBgNVBAYTAk5MMQswCQYDVQQIDAJHTDELMAkGA1UEBwwC V0IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1Zcje9w06yWsuSxgA3rvVQ/HS85vo xZMb8UaK8Kvm9D+QJQ/9c01OsSr3MyWyzVDl8zgZJbo0l0SW4nS9HOVaI8+vIkkQwkUWYnF6eBjD n3MEm+fhx4NFQDZ/uIhe40k0Rodym9wzZvc8I3q82p/cSDJDTEaWhdA2gSw/qHGWjbPiPInPN0Oq Ex2UW5D9f8urWyep7PKQQXiEsg8+nIK8FJEtMYUh7zV6KOmgTiIzqBOtNPy+/4DYXSIfpJWh+qQd EWjyZs6AmhnTcdItU+D/vsJazHsnLKr6LsI6oF5m8h2Dn5V9dKKiFuHoAJdYnFz6qaog9Ri3Qzzq f762InIDAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAECnBQ9np5/QsWEmOUGAOXINfwXUrjdedGWm Yw0UqXn2wk/M/aGulC2Xl4WeDXVpsl+/zLg+hhvaA2btRub6o3ffVK9Qpkiz6TBumoSi+I/+WgOU icfI7gWQSR4SlYCo0ofUUtFB6fyAzQcYlb3yuXgWAKou0Ofhfsoz19WG0/v6187gk/PlvJQzzeYU jAIEtT74p3R97+WdcREbHE7oYLehqh4YtC6uTDtjH3sAncVikfwD/BrWv46C2lcLNJNyp1zV8yvJ Wts580inz5PG9hqJCFIOW1rx0zK6hH0C0Rii3mKyIzvbcMwez6lFea9z5w412gPUQ88wkcZPp+ZJ DSA=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </saml2p:Status> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_fbdfa74c498b0b78410587beb5a43372" IssueInstant="2015-04-02T13:00:57.566Z" Version="2.0" > <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://ce.gluu.info/idp/shibboleth</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#_fbdfa74c498b0b78410587beb5a43372"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>BKfulz739nNvnejwdgc0UG29+so=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>sdra+Tpp75wAOpTX+sqsJvhQQ/jqOHrVszcxDntETAJWKylLaBNi978lErm6UA4+lpXxPZ5+38keE2gwbd2r/VVYfd2A0XpK/39O56ykphDCdTX7Rj2zxk1rV0YTfFDsIfgJH7pb19QARUaJIZEEED/GwdXKJYYzJD5B8PMPaT/FbGFT8mDwNDcJZLegl4+fOiYzMXiztSSBYHkikYESliXBFFuNJV5MfxkY0CGtG9X0r5M72LUiNu6VpiZmfEkb+aNYUU3fj5wlR/Q45ayapGuAv3/1NtKiIzbZwwdK+5hI3tWjrF5hGXbxOaPZvDdcYCuUd3RtaKhHATav+5ArnA==</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDHDCCAgQCCQDeKFaEs+kWtTANBgkqhkiG9w0BAQsFADBQMRUwEwYDVQQDDAxjZS5nbHV1Lmlu Zm8xEDAOBgNVBAoMB1RyYXhpb24xCzAJBgNVBAYTAk5MMQswCQYDVQQIDAJHTDELMAkGA1UEBwwC V0IwHhcNMTUwMzI2MTE1OTE5WhcNMTYwMzI1MTE1OTE5WjBQMRUwEwYDVQQDDAxjZS5nbHV1Lmlu Zm8xEDAOBgNVBAoMB1RyYXhpb24xCzAJBgNVBAYTAk5MMQswCQYDVQQIDAJHTDELMAkGA1UEBwwC V0IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1Zcje9w06yWsuSxgA3rvVQ/HS85vo xZMb8UaK8Kvm9D+QJQ/9c01OsSr3MyWyzVDl8zgZJbo0l0SW4nS9HOVaI8+vIkkQwkUWYnF6eBjD n3MEm+fhx4NFQDZ/uIhe40k0Rodym9wzZvc8I3q82p/cSDJDTEaWhdA2gSw/qHGWjbPiPInPN0Oq Ex2UW5D9f8urWyep7PKQQXiEsg8+nIK8FJEtMYUh7zV6KOmgTiIzqBOtNPy+/4DYXSIfpJWh+qQd EWjyZs6AmhnTcdItU+D/vsJazHsnLKr6LsI6oF5m8h2Dn5V9dKKiFuHoAJdYnFz6qaog9Ri3Qzzq f762InIDAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAECnBQ9np5/QsWEmOUGAOXINfwXUrjdedGWm Yw0UqXn2wk/M/aGulC2Xl4WeDXVpsl+/zLg+hhvaA2btRub6o3ffVK9Qpkiz6TBumoSi+I/+WgOU icfI7gWQSR4SlYCo0ofUUtFB6fyAzQcYlb3yuXgWAKou0Ofhfsoz19WG0/v6187gk/PlvJQzzeYU jAIEtT74p3R97+WdcREbHE7oYLehqh4YtC6uTDtjH3sAncVikfwD/BrWv46C2lcLNJNyp1zV8yvJ Wts580inz5PG9hqJCFIOW1rx0zK6hH0C0Rii3mKyIzvbcMwez6lFea9z5w412gPUQ88wkcZPp+ZJ DSA=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://ce.gluu.info/idp/shibboleth" SPNameQualifier="https://www.okta.com/saml2/service-provider/spiau1jl4WHKy62JU0y6" >**_7301855dbf4bf5a9520629e8d456e796</saml2:NameID>** <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData Address="10.0.23.223" InResponseTo="id4994358162546611758523684" NotOnOrAfter="2015-04-02T13:05:57.566Z" Recipient="https://traxiontest.okta.com/auth/saml20/test" /> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2015-04-02T13:00:57.566Z" NotOnOrAfter="2015-04-02T13:05:57.566Z" > <saml2:AudienceRestriction> <saml2:Audience>https://www.okta.com/saml2/service-provider/spiau1jl4WHKy62JU0y6</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2015-04-02T13:00:57.181Z" SessionIndex="_550b35c590bc171de649ed733d9988ff" > <saml2:SubjectLocality Address="10.0.23.223" /> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> </saml2:Assertion> </saml2p:Response> **Configuration Gluu** [Gluu configuration for trust relationship](http://pasteboard.co/2oe676ux.png) [Gluu configuration relying party](http://pasteboard.co/2oefQLtt.png) [Gluu configuration of the user, with transientID=emailaddress (the Service provider needs this emailaddress)](http://pasteboard.co/2oes44kp.png) [configuration of the SP (OKTA), IDP.cert is the certificate of Gluu](http://pasteboard.co/2oeyzUTE.png)