Shibboleth Developers

[Chad La Joie <>]

The failure is due to the fact that both Scott and I assumed there had 
to be an ID in the subject.  Now if the IdP and the SP can't agree on a 
name format then no ID is sent.

Tom Scavo wrote:
> On Wed, Mar 5, 2008 at 2:02 AM, Jie Lv 
> <>
>  wrote:
> > There were 2 lines of
> > "<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>"
> > in the element <md:IDPSSODescriptor>, and there was no < md:NameIDFormat >
> > in the element <md:AttributeAuthorityDescriptor>.
> >
> > When this metadata was used, in idp-process.log I got something like:
> >
> > Error:
> > [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2.ProfileHandler:702]:
> > No principal attribute supported encoding into a supported nameID format.
> >
> > I had to manually delete 1
> > "<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>"
> > from the element <md:IDPSSODescriptor> and added 1 to <
> > md:AttributeAuthorityDescriptor>. Then this problem was solved.
> >
> > Was it just me, or someone else have also met similar problems?
>
> This issue came up recently in the OASIS SSTC.  I don't think the
> issue is fully resolved but there doesn't appear to be anything in the
> spec that requires <md:NameIDFormat> to be in metadata.  Do we really
> want an exchange to fail if the corresponding <md:NameIDFormat> is not
> in metadata?
>
> Tom

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
 http://www.switch.ch