upgraded IdP not sending NameID with assertion

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

upgraded IdP not sending NameID with assertion

Jeremy Shapiro
Hello,
  With Shibboleth Idp 3.2.1 our IdP was sending the NameId as part of the assertion, our SP was picking this up, and based on our SP and apache config, correctly sending it to the backend application.

 <saml2:Assertion ID="_6c390c7a356f5f5f2396a05c12b718d7"

                   IssueInstant="2021-04-30T19:20:58.514Z"

                   Version="2.0"

                   xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

  

   <saml2:Subject>

      <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">testuser</saml2:NameID>

....



After upgrading to 4.0.1 the NameId is being sent as a transient format that doesn't seem to be accepted by the sp (I've removed some of xml content)


  <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"

                   ID="_409c53d717007513ef5c01c3dea94346"

                   IssueInstant="2021-04-30T18:14:18.305Z"

                   Version="2.0">

  

    <saml2:Subject>

      <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"

                    xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">AAdzxxxxphyY=</saml2:NameID>


If I copy over the saml-nameid.properties and .xml files from the 3.2.1 distribution (plus comment out the LegacyGenerator line) then nothing gets sent and I see no log warning or errors anywhere.


Can someone help me determine what config I need to start receiving the NameId again?


 Thank you,


 Jeremy


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]