Supported NameID formats in SAML response subject

Expand

Collapse

Advanced SearchOpens new dialog

Enter plus (+) or minus (-) signs in search terms to make a word required or excluded
Search Tips

Search terms

Screen Reader users press enter to select a Filter by product. Filter by product

Screen Reader users press enter to select a Filter by category. Filter by category

Sort by Direction

Answer ID 10917 | Last Review Date 09/22/2022

What are the supported NameID formats in the Subject of a SAML response for Single Sign On (SSO)?

Environment:

Single Sign-On (SSO)/SAML

Resolution:

If you select a value for the NameID format field when setting up an Identity Provider in the Single Sign-On Configurations component, strict validation is enforced and you will need to ensure the NameID format that is included in the Subject for the SAMLResponse from your IdP matches what you have configured on the Oracle B2C Service side. Below are the supported formats for the Subject in the SAMLResponse from the IdP :

Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"

Example: In the following Subject example, the nameid-format is set to unspecified. You will need to ensure your Identity Provider in the Single Sign Single Sign-On Configurations component has the NameID Format field set to Unspecified;

<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">mylogin</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2019-05-29T16:51:11Z" Recipient="https://mysite-custhelp.com/cgi-bin/mysite.cfg/php/sso/saml2/sp/post/acs.php"/>
</saml:SubjectConfirmation>
</Subject>

If your NameID format is not in one of the formats that are supported by Oracle B2C Service as specified in the NameID Format field on the Identity Provider in the Single Sign-On Configurations component, your SSO authentication can fail and you will see a "Single Sign-On is not configured correctly. Please contact your system administrator." error displayed upon login. You will also see a "The SSO token has in invalid nameid_format" error recorded in the Security Log.

You will need to work with your IdP to ensure they are setting the appropriate supported NameID format in the subject of the SAMLResponse. If you have not set a value for the NameID Format field on your Identity Provider in the Single Sign-On Configurations component, validation is not enforced.

Loading...

Login

What are the supported NameID formats in the Subject of a SAML response for Single Sign On (SSO)?

Was this answer helpful?

Still have questions?

Related Answers

Login