Supabase SAML "Invalid NameID Policy"
As described. Have had this issue 2 times today alone and had never seen before.
Was there an update to SAML causing this?
From client:
I haven't changed anything on supabase side since this was working
7 Replies
Where is this issue being thrown?
I’m using a SAMl tracer and it’s in the logs there
SSO throws an initial success from the authentication standpoint but when sent back from shibboleth to Supa it throws with the invalid NameId thing
what is the nameid that you are sending, is it an email or a uuid?
email
have had this issue with 2 groups recently after never seeing before
hmm, i'm not sure what could be causing it then. I haven't seen anyone else come through asking about this but might be worth filing a support ticket if the issue is still persisting.
have you inspected the emails it is throwing this for
Its all emails coming from their side (we work with universities)
but basically anything coming from the university domain will cause this issue
I'm not sure if this is helpful but i have seen this
now you have successfully configured the Shibboleth, however, there are some additional steps that may important for you. By default, Shibboleth adds Transient ID as the NameID in the subject element of the SAML Assertion. The Transient ID attribute definition exposes a randomly generated, short-lived, opaque identifier that can later be mapped back to the user by a transient principal connector. However, if you want to add the login name into the SAML Assertion, you need to do the following configuration. on this site
https://is.docs.wso2.com/en/6.1.0/guides/identity-federation/configure-shibboleth-idp/
could it be an issue with how these universities are configuring shibboleth