Hello John, If NameID is properly configured, you will not see it's value clear text in SAML assertion of Gluu Server, basically that's how Shibboleth works. On other hand... you will see something like "NameID configured .. etc. etc " in SAML assertion OR "NameID can't be configured ....". SAML assertion means... DEBUG log from 'idp-process.log' ( /opt/shibboleth/logs/ )

Hi Mohib, Thanks for your reply. In the idp-process.log we are seeing: WARN [org.opensaml.saml.common.profile.logic.MetadataNameIdentifierFormatStrategy:75] - Ignoring NameIDFormat metadata that includes the 'unspecified' format Under <gluuServer>/identity/saml/nameid We have configured the Custom NameId to be: Source Attribute: Email NameId Type: emailAddress Our expectation is that this would have been reflected in the IDP metadata <gluuServer>/idp/shibboleth, but it isn't. IDP metadata has: <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:transient </NameIDFormat> <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:persistent </NameIDFormat> We would have expected to see something like this included too: <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress </NameIDFormat>

>> Ignoring NameIDFormat metadata that includes the 'unspecified' format There are two meaning of this message: - Some configuration still talking about 'unspecified' type. Either SP metadata or SP itself or inside your Gluu Server. - There is no other properly configured nameID available. i.e. emailAddress isn't configured properly.

Hi Mohib, I've removed reference to "unspecified" in the sp_metadata. That's fine. Using the firefox saml-tracer extension, the saml assertion decoded gives me: <saml2:Issuer>https://ubuntuGluuVM/idp/shibboleth</saml2:Issuer> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://ubuntuGluuVM/idp/shibboleth" SPNameQualifier="sp_app_test" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >AAdzZWNyZXQxrzma+EkBD77Ys2xvWkzdXrFlSV37QDiV4CkbXQWFLV+euUV0yyKTnJxbmauzbRjtmOwzDHgzFIKRGMB5vcMVqzT3y16wUivuPLxDyZ/OKAZfjPG98g==</saml2:NameID> This is in contrast to another saml-idp-server which gives the email address in cleartext at this point. The saml custom nameId would seem to be configured correctly in attribute-resolver.xml: <resolver:AttributeDefinition xsi:type="ad:Simple" id="email" sourceAttributeID="mail"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress" /> </resolver:AttributeDefinition> I notice there is no reference to "nameid-format:emailAddress" in the /idp/shibboleth metadata which I would have expected.

This previous post describes the problem I'm having: https://support.gluu.org/single-sign-on/4489/using-email-address-for-nameid-in-saml/ I'm still falling short of finding a solution though.

Please share your all configs, I will take a look as soon as I can manage some time: - `/opt/shibboleth/conf` - `/opt/gluu/jetty/identity/conf/shibboleth/idp` - SP metadata - Trust relationship screenshots

Hi Mohib, Thank you for your kind offer to look at config. I've revisited this in recent days, done a re-install and it's working now. Thanks for your help. Is gluu-saml available as a docker image? This could be useful going forward.

Hello John, >> Is gluu-saml available as a docker image? This could be useful going forward. Yes, it's work in progress; we are planning to release it with Gluu Server 4.0.