Shibboleth Developers

At 1:34 PM -0800 12/3/07, Chad La Joie wrote:
> Okay, check your IdP metadata.  Does it say it only supports the 
> shib handle?  I suspect so.
>
> But yeah, given that the IdP is only seeing the shib format as an 
> option then you are getting the expected behavior; it can't encode 
> because there isn't a SAML 2 encoder for the shib format (and their 
> normally shouldn't be).
>
> So, the real issue is the list of supported name formats.  As I 
> mentioned before the IdP will look at it's own metadata, if it's 
> available, and use that in conjunction with the SP metadata.  So if 
> the SP says it supports the shib and saml 2 transient formats and 
> the IdP metadata says the IdP only supports the shib format then the 
> intersected list if only the shib format.  I suspect that's the 
> issue.

bingo! thanks to both Chad + Nate.

I had registered my IdP with TestShib before the recent transientId 
discussion...  once I added this element to my IdP's metadata:

<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>

everything works as expected. The SP accepts that format, and the IdP 
has been told it can use that format.

Tomorrow... on to fun with various authN mechnisms!