Skip to Content.
Sympa Menu

shibboleth-dev - Re: A problem with IdP metadata generated by TESTSHIB TWO

Subject: Shibboleth Developers

List archive

Re: A problem with IdP metadata generated by TESTSHIB TWO


Chronological Thread 
  • From: "Tom Scavo" <>
  • To:
  • Subject: Re: A problem with IdP metadata generated by TESTSHIB TWO
  • Date: Wed, 5 Mar 2008 09:01:29 -0500
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=RNdITjvXloqGkfZKEntnlkLboby+7ACX9/8+d24YI4fcJyAra8/SyByn1/mhPhFCKtTiFLSB4qkqwgTI5SHYD9PzsGyvssGr1wpTxOjDL2cNFc7pkjAr8/B/N8X96ok3qscaXnepP3VvM/QehZee/kDwjk+O3bV1wVSdGoCjO4c=
On Wed, Mar 5, 2008 at 2:02 AM, Jie Lv
<>
wrote:
>
> There were 2 lines of
> "<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>"
> in the element <md:IDPSSODescriptor>, and there was no < md:NameIDFormat >
> in the element <md:AttributeAuthorityDescriptor>.
>
> When this metadata was used, in idp-process.log I got something like:
>
> Error:
> [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2.ProfileHandler:702]:
> No principal attribute supported encoding into a supported nameID format.
>
> I had to manually delete 1
> "<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>"
> from the element <md:IDPSSODescriptor> and added 1 to <
> md:AttributeAuthorityDescriptor>. Then this problem was solved.
>
> Was it just me, or someone else have also met similar problems?

This issue came up recently in the OASIS SSTC. I don't think the
issue is fully resolved but there doesn't appear to be anything in the
spec that requires <md:NameIDFormat> to be in metadata. Do we really
want an exchange to fail if the corresponding <md:NameIDFormat> is not
in metadata?

Tom

Archive powered by MHonArc 2.6.16.

Top of Page