Release 'TransientID' and see what's up there. 'TransientID' is our default NameID which might work for your case. It's available in available attributes section.

I tried added but still get an error. What about the relying party config, does that look correct? I don't know which I should be adding, and some have a checkbox to "includeAttributeStatement".

>> I tried added but still get an error. Just release 'TransientID' as NameID. Don't use your custom made nameID. >> What about the relying party config, does that look correct? Relying party configuration depends on SP's requirement. If they want that; you can move forward.

I added TransientID, but still get an error.

Then you can check the log for hints... SAML transactions related logs are inside /opt/idp/logs/

Last few lines of the log are here, do you see anything wrong at all? :53:58.125 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:501] - Name identifier for relying party 'http://fs.ultiproworkplace.com/adfs/services/trust' will be built from attribute 'transientId' 16:53:58.125 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:868] - Using attribute 'transientId' supporting NameID format 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' to create the NameID for relying party 'http://fs.ultiproworkplace.com/adfs/services/trust' 16:53:58.125 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:572] - Determining if SAML assertion to relying party 'http://fs.ultiproworkplace.com/adfs/services/trust' should be signed 16:53:58.125 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:653] - IdP relying party configuration 'http://fs.ultiproworkplace.com/adfs/services/trust' indicates to sign assertions: false 16:53:58.125 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:660] - Entity metadata for relying party 'http://fs.ultiproworkplace.com/adfs/services/trust 'indicates to sign assertions: true 16:53:58.126 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:583] - Determining signing credntial for assertion to relying party 'http://fs.ultiproworkplace.com/adfs/services/trust' 16:53:58.126 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:599] - Signing assertion to relying party http://fs.ultiproworkplace.com/adfs/services/trust 16:53:58.138 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:331] - secondarily indexing user session by name identifier 16:53:58.138 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:796] - Encoding response to SAML request id-b3397259-9873-489a-991f-e55face6b58c from relying party http://fs.ultiproworkplace.com/adfs/services/trust 16:53:58.157 - INFO [Shibboleth-Audit:1028] - 20150625T165358Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|id-b3397259-9873-489a-991f-e55face6b58c|http://fs.ultiproworkplace.com/adfs/services/trust|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://gluu.nyc.squarespace.net/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_1d724821b2f6fe5ae45a495253320b27|tvernick|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport||_1f2b25192791b667596d585ea008034b|_c7b2766b73cd502cac5d4bc1995c2941,|

No, I don't see any error from your log snippet.

Hi, I attached what ultipro is expecting as an attribute. Do you know which attribute I should be releasing or what I should create for this to work? I tried creating a new attribute with that particular string but it didnt work.

How do you do that? If you're talking about the URI for the attribute yes I added that as: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified urn:oasis:names:tc:SAML:2.0:nameid-format:transient I'm not certain about the other options but I left most them all as default.

The screenshot is when I passed the TransientId attribute only. When I used the custom attribute I created they don't see anything.

As far as the attribute values, those are being passed by editing the user values in "Manage People"? Also, I have an assertion document they gave me, but not sure exactly how I should implement it. Ie. should I be creating a new attribute etc. Is there an email I can send that to?

Todd, Seems like Ultipro is expecting some custom NameID which should be with format 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' and this NameID will be based on some 'UserAttribute' ( which can be UID or Email_Address, Ultipro can decide ). It's not possible to create and map custom NameID with Gluu Server's GUI ( oxTrust ) right now. For our customers, Gluu Engineers are creating such custom attribute manually.