Our application is a SP and I have an IdP configured with NameIDFormat set to urn:oasis:names:tc:SAML:1.1:nameid-format:transient. In my SP initiated AuthnRequest, I see the following:
<samlp:NameIDPolicy Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:transient” AllowCreate=“true” />
I then get a response of:
<ns1:Issuer Format=“urn:oasis:names:tc:SAML:2.0:nameid-format:entity” xmlns:ns1=“urn:oasis:names:tc:SAML:2.0:assertion”>xxxxxxxxxx</ns1:Issuer>
The NameIDPolicy format agreement between SP and IdP is not met!
In an IdP initiated SSO, I do see
<ns2:Assertion xmlns:ns2=“urn:oasis:names:tc:SAML:2.0:assertion” ID=“_89ddd53655a08f4087259de945a947de9c91” IssueInstant=“2015-08-06T19:28:34Z” Version=“2.0”>
<ns2:Issuer Format=“urn:oasis:names:tc:SAML:2.0:nameid-format:entity”>
…
ns2:Subject
<ns2:NameID Format=“urn:oasis:names:tc:SAML:2.0:nameid-format:transient”>
…
I believe the problem to be something on their end, or the fact that we should be using “entity” instead of “transient” for the NameID policy, in spite of them asking for us to use “transient”.
Is that correct? Thanks!
Please disregard. This was due to user error. Should not be using SAML 1.1 format. Should be 2.0.
urn:oasis:names:tc:SAML:1.1:nameid-format:transient
vs
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Thanks for letting us know.