NetIQ Access Manager 4.1
NetIQ Access Manager 4.0
NetIQ Access Manager Identity Server acting as SAML2 Identity Provider
trying to create a federation and these are the requirement of the SP:
The NameIDFormat MUST be transient
2. The value sent in NameID MUST be the users email address.
The Access Manager documentation clearly state the Name Identifier Format Transient and Persistent need to be auto-generated:
value for the name identifier.
The persistent and transient formats are generated automatically. For the others, you can select
an attribute. The available attributes depend upon the attributes that you have selected to send
with authentication (see âConfiguring the Attributes Obtained at Authenticationâ on page 375). If
you do not select a value for the E-mail, Kerberos, X509, or Unspecified format, a unique value
is automatically generated.
Is it possible to generate an Authentication Response from the NAM IDP server with a transient name identifier format, and a value that is static in nature eg. an ldap attribute?
8.3.8 Transient Identifier
Indicates that the content of the element is
an identifier with transient semantics and SHOULD be treated
as an opaque and temporary value by the relying party. Transient identifier values MUST be generated in
accordance with the rules for SAML identifiers (see Section 1.3.4), and MUST NOT exceed a length of
If we add an LDAP attribute value such as an email address, this is not really an opaque or temporary
value as it will be the same for every session
3.6 Transient Identifiers
SAML 2.0 shall provide a facility enabling a
principalâs identity to be reflected to relying parties
anonymously (in effect), using non-persistent identifiers. Identifiers of this type may be obtained upon
relying party request; additionally, principals may designate that they are to be so represented to relying
parties within the scope of a session. This facility shall be applicable independent of whether or not the
principal has a federation relationship between the SAML authentication authority and any of the relying
parties receiving assertions within the session. Desirably, it should be possible for a principal to requestand/or configure use of this facility at the granularity of individual relying parties.
Again, adding an LDAP attribute such as the users email address is not anonymous, and defies the purpose of using a transient ID.