Skip Navigation
Expand
Collapse
Submit a Service Request
Contact Information for Technical Support
My Service Notifications
  • Advanced SearchOpens new dialog
    Enter plus (+) or minus (-) signs in search terms to make a word required or excluded
    Search Tips
    Filter by product
    Filter by category
Supported NameID formats in SAML response subject
Answer ID 10917   |   Last Review Date 11/19/2024

What are the supported NameID formats in the Subject of a SAML response for Single Sign On (SSO)?

Environment:  

Single Sign-On (SSO)/SAML

Resolution:

If you select a value for the NameID format field when setting up an Identity Provider in the Single Sign-On Configurations component, strict validation is enforced and you will need to ensure the NameID format that is included in the Subject for the SAMLResponse from your IdP matches what you have configured on the Oracle B2C Service side.  Below are the supported formats for the Subject in the SAMLResponse from the IdP :  

Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"

Example:  In the following Subject example from the external Identity Provider's SAMLResponse, the nameid-format is set to unspecified.  If you are setting a NameID Format on your Identity Provider in the Single Sign Single Sign-On Configurations component, you will need to ensure it is set to Unspecified to match the nameid-format in the Subject;

<saml:Subject>
    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">mylogin</saml:NameID>
    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData NotOnOrAfter="2019-05-29T16:51:11Z" Recipient="https://mysite-custhelp.com/cgi-bin/mysite.cfg/php/sso/saml2/sp/post/acs.php"/>
    </saml:SubjectConfirmation>
</Subject>

If your NameID format is not in one of the formats that are supported by Oracle B2C Service as specified in the NameID Format field on the Identity Provider in the Single Sign-On Configurations component, your SSO authentication can fail and you will see a "Single Sign-On is not configured correctly. Please contact your system administrator." error displayed upon login.  You will also see a "The SSO token has in invalid nameid_format" error recorded in the Security Log. 

You will need to work with your IdP to ensure they are setting the appropriate supported NameID format in the subject of the SAMLResponse.  If you have not set a value for the NameID Format field on your Identity Provider in the Single Sign-On Configurations component, validation is not enforced. 

 

Was this answer helpful?

Still have questions?

Notify Me
Forgot your username or password?
The page will refresh upon submission. Any pending input will be lost.