idp-process.log with custom email attribute name id urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress root@gluusvr:/opt/gluu/jetty/identity/conf/shibboleth3/idp# tail -f /opt/shibboleth-idp/logs/idp-process.log 2017-04-03 04:10:48,292 - INFO [org.gluu.oxauth.client.validation.OAuthValidationFilter:51] - Property [oxauth.token.validation.url] loaded from oxTrust.properties 2017-04-03 04:10:48,292 - INFO [org.gluu.oxauth.client.validation.OAuthValidationFilter:51] - Property [oxauth.userinfo.url] loaded from oxTrust.properties 2017-04-03 04:10:48,292 - INFO [org.gluu.oxauth.client.validation.OAuthValidationFilter:51] - Property [oxauth.client.id] loaded from oxTrust.properties 2017-04-03 04:10:48,292 - INFO [org.gluu.oxauth.client.validation.OAuthValidationFilter:51] - Property [oxauth.client.password] loaded from oxTrust.properties 2017-04-03 04:10:48,415 - INFO [org.gluu.oxauth.client.validation.OAuthValidationFilter:151] - validate check session status:200 2017-04-03 04:10:48,416 - INFO [org.gluu.oxauth.client.validation.OAuthValidationFilter:157] - Session validation successful. User is logged in 2017-04-03 04:10:48,504 - INFO [net.shibboleth.idp.authn.impl.ValidateExternalAuthentication:115] - Profile Action ValidateExternalAuthentication: External authentication succeeded for user: sanvi@example.com 2017-04-03 04:10:48,630 - WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:337] - Profile Action AddNameIDToSubjects: Request specified use of an unsupportable identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:email 2017-04-03 04:10:48,635 - WARN [org.opensaml.profile.action.impl.LogEvent:76] - An error event occurred while processing the request: InvalidNameIDPolicy 2017-04-03 04:10:48,656 - INFO [Shibboleth-Audit.SSO:241] - 20170403T041048Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|SNC0fd2f8ec8325c97d14f6d886209b0b37|https://dev33269.service-now.com|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://domain/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_9dacc4d83f4b10d4fe469fe5f317cd21|sanvi@example.com|||||

Hi Raji, Can you please share which doc you followed? And.. btw.. thanks for great description.

Hi Mohib, Appreciate a quick resolution, to this issue. Please let me know if you need more information to help fix this issue. Please treat this as a priority, I also see this issue is posted on other thread since March 3rd. https://support.gluu.org/single-sign-on/3853/nameid-attribute-for-google-apps-g-suite-integration/ I followed this 3.0.1 doc on customer attributes and for defining name id under same name id. https://gluu.org/docs/ce/3.0.1/admin-guide/attribute/#custom-attributes

Pasting the 1.same-nameid.xml 2. attribute-resolver.xml 3.SP meta data Appreciate your help in resolving this issue on priority and please let me know if you need more information. 1.Saml-nameid.xml =============== root@gluusvr:/opt/shibboleth-idp/conf# cat saml-nameid.xml <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" default-init-method="initialize" default-destroy-method="destroy"> <!-- ========================= SAML NameID Generation ========================= --> <!-- These generator lists handle NameID/Nameidentifier generation going forward. By default, transient IDs for both SAML versions are enabled. The commented examples are for persistent IDs and generating more one-off formats based on resolved attributes. The suggested approach is to control their use via release of the underlying source attribute in the filter policy rather than here, but you can set a property on any generator called "activationCondition" to limit use in the most generic way. Most of the relevant configuration settings are controlled using properties; an exception is the generation of arbitrary/custom formats based on attribute information, examples of which are shown below. --> <!-- SAML 2 NameID Generation --> <util:list id="shibboleth.SAML2NameIDGenerators"> <ref bean="shibboleth.SAML2TransientGenerator" /> <!-- Uncommenting this bean requires configuration in saml-nameid.properties. --> <!-- <ref bean="shibboleth.SAML2PersistentGenerator" /> <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" p:attributeSourceIds="#{ {'emailID'} }" /> </util:list> --> <!-- SAML 1 NameIdentifier Generation --> <util:list id="shibboleth.SAML1NameIdentifierGenerators"> <ref bean="shibboleth.SAML1TransientGenerator" /> <bean parent="shibboleth.SAML1AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:email" p:attributeSourceIds="#{ {'emailID'} }" /> </util:list> </beans> 2. attribute-resolver.xml ========================= root@gluusvr:/opt/shibboleth-idp/conf# cat attribute-resolver.xml <?xml version="1.0" encoding="UTF-8"?> <resolver:AttributeResolver xmlns:resolver="urn:mace:shibboleth:2.0:resolver" xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad" xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc" xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder" xmlns:sec="urn:mace:shibboleth:2.0:security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd urn:mace:shibboleth:2.0:resolver:ad http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-ad.xsd urn:mace:shibboleth:2.0:resolver:dc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd urn:mace:shibboleth:2.0:attribute:encoder http://shibboleth.net/schema/idp/shibboleth-attribute-encoder.xsd urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd"> <!-- ========================================== --> <!-- Attribute Definitions --> <!-- ========================================== --> <resolver:AttributeDefinition xsi:type="ad:Simple" id="emailID" sourceAttributeID="emailID"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oasis:names:tc:SAML:1.1:nameid-format:email" friendlyName="emailID" encodeType="false" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="mail" sourceAttributeID="mail"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" friendlyName="mail" encodeType="false" /> </resolver:AttributeDefinition> <!-- ========================================== --> <!-- Data Connectors --> <!-- ========================================== --> <resolver:DataConnector id="siteLDAP" xsi:type="dc:LDAPDirectory" ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" baseDN="%{idp.attribute.resolver.LDAP.baseDN}" principal="%{idp.attribute.resolver.LDAP.bindDN}" principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"> <dc:FilterTemplate> <![CDATA[ (uid=$requestContext.principalName) ]]> </dc:FilterTemplate> <!-- <dc:ReturnAttributes>%{idp.attribute.resolver.LDAP.returnAttributes}</dc:ReturnAttributes> --> <dc:StartTLSTrustCredential id="LDAPtoIdPCredential" xsi:type="sec:X509ResourceBacked"> <sec:Certificate>%{idp.attribute.resolver.LDAP.trustCertificates}</sec:Certificate> </dc:StartTLSTrustCredential> </resolver:DataConnector> </resolver:AttributeResolver> 3. SP Metadata =============== <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://dev33269.service-now.com"> <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://dev33269.service-now.com/navpage.do" /> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:email</NameIDFormat> <AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://dev33269.service-now.com/navpage.do" /> <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://dev33269.service-now.com/consumer.do"/> </SPSSODescriptor> </EntityDescriptor> 4. custom.schema ================= attributetype ( 1.3.6.1.4.1.48710.1.3.1001 NAME 'emailID' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Gluu - emailID person attribute' ) objectclass ( 1.3.6.1.4.1.48710.1.4.101 NAME 'gluuCustomPerson' SUP ( top ) AUXILIARY MAY ( emailID ) X-ORIGIN 'Gluu - emailID person objectclass' )

Let's try this... doc attached.

Hi Raji, Did it help?