Skip to Content.
Sympa Menu

shibboleth-dev - Beta IdP: No principal attribute supports an encoding into a supported name ID format

Subject: Shibboleth Developers

List archive

Beta IdP: No principal attribute supports an encoding into a supported name ID format


Chronological Thread 
  • From: Lukas Haemmerle <>
  • To:
  • Subject: Beta IdP: No principal attribute supports an encoding into a supported name ID format
  • Date: Mon, 24 Sep 2007 10:38:00 +0200
  • Organization: SWITCH - Serving Swiss Universities
Ok, got Apache with Basic Auth (hooked to LDAP) working, protecting
/idp-trunk/Authn/RemoteUser with REMOTE_USER being present for the IdP.

However, if I test the IdP by accessing an SP 1.3 I'm authenticated but
the SP doesn't get a useful assertion. All it gets is an assertion with
StatusMessage="Unable to construct NameIdentifier". This of course
results in an Session Creation Error.

In the IdP logs it says:

10:19:14,524 CRITICAL [Shibboleth-Access]
20070924T081914Z|130.59.6.143|lewotolo.switch.ch:443|/profile/shibboleth/SSO|
10:19:14,826 ERROR [AbstractSAML1ProfileHandler] No principal attribute
supports an encoding into a supported name ID format.
10:19:14,882 CRITICAL [Shibboleth-Audit]
20070924T081914Z|urn:mace:shibboleth:1.0:profiles:AuthnRequest||https://kelimutu.switch.ch/shibboleth|urn:mace:shibboleth:2.0:idp:profiles:shibboleth:request:sso|urn:mace:switch.ch:aaitest:lewotolo.switch.ch|urn:oasis:names:tc:SAML:1.0:profiles:browser-post|_33486ee3bc5759b9099e1ccf520460e5|demouser|urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified||

So, because the principal (demouser) is present, I guess this error has
something to do with the supported name ID format. Anybody has a hint on
this?


Lukas

--
SWITCH
Serving Swiss Universities
--------------------------
Lukas Haemmerle, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 64, fax +41 44 268 15 68
,
http://www.switch.ch

Archive powered by MHonArc 2.6.16.

Top of Page