Hi, Cedric. >And finally I am restarting the idp and identity services. You need to modify the corresponding template file instead, which is located at `/opt/gluu/jetty/identity/conf/shibboleth3/idp/saml-nameid.xml.vm` Restart `identity` service after that, this will re-generate configuration files under `/opt/shibboleth-idp/` from those templates. That said, have you tried to follow our custom nameid doc already? It offers a way to [define custom nameid from web UI](https://gluu.org/docs/ce/3.1.3/admin-guide/saml/#oxtrust-gui)

Hello, Yes modifying the template file instead allowed me to change the content of saml-nameid.xml. However, I still have the same issue, i.e the nameID in the SAML response is still in transient format. So I've looked at the link you sent for configuring nameID in oxTrust (instead of manual config in template files). I believe I do not need a custom attribute since I want to use mail so here's the info I put : Source Attribute : Email Name : mail NameID Type : emailAddress Then idp/identity restart but still the same issue (transient format). On top of that, the SP does not even receive the Email attribute anymore (I am releasing Username and Email). I basically want the nameID to be the mail attribute for that specific SP only (not all). Any idea? Thanks

Hi Cedric, >> I believe I do not need a custom attribute since I want to use mail so here's the info I put : Source Attribute : Email Name : mail NameID Type : emailAddress 'Custom Attribute' is some kind of 'container' for any type of NameID other than default one ( transientID ). So in any case, you need to prepare a custom attribute; feed that custom attribute with email_address value; configure that custom attribute as 'emailAddress' type nameID.

Ok, i'll try that. But will it affect all other SAML TR? Because I want the NameID to be the mail attribute for 1 particular SP only.

No, it won't.

Ok so just to be sure, here's what I've done : 1. I've created a custom attribute as instructed [here](https://gluu.org/docs/ce/3.1.3/admin-guide/attribute/#custom-attributes) (added it to OpenLDAP in custom.schema, restarted the solserver service and registered that attribute in oxTrust). 2. I've configured a custom NameID from the GUI (not manual) as instructed [here](https://gluu.org/docs/ce/3.1.3/admin-guide/saml/#oxtrust-gui). Source Attribute is 'Email', Name is the name of the newly created custom attribute and NameId Type is 'emailAddress'. I've enabled it and restarted idp/identity services. 3. I've changed nothing in the TR config except that I'm now also releasing that new custom attribute (don't know if it's necessary or not). Result : I still receive the NameID in transient format: ``` <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://idp.dev.interne.montreal.ca/idp/shibboleth" SPNameQualifier="https://ged.lab.interne.montreal.ca/nuxeo"> AAdzZWNyZXQxUaCtu4DtCMA6Iq/Qb4krfr9jVl9XR6ILz/gTUV3ZOUse0TZeDCb53cKHeiSIHDzh8MI/rndc+uz+6TeKffCj2yj8tFJupevr9p75957FnCbVooy4Ij3P/gHS6D9AGYndv5DZq1Gb7M8EWdl22Lgh </saml2:NameID> ``` Am I missing something?

It is weird because, after creation of the custom attribute (step 1), I have also tried the manual config for step 2 (i.e modifying the attribute-resolver and saml-nameid templates instead of creating a custom NameID in oxtrust) and the SAML response is different now: this time I don't even receive the saml2:NameID element in the saml2:Subject statement. Only the attributes. Anyway, I've CC'd my colleague Andrew on this since I am away for the next 10 days. Will follow up later this month. Thanks

Hello Cedric, Please feel free to issue a new ticket when you are back; use reference of this ticket there in new ticket so all of us can check what we have been doing to resolve the case.