We would like to use OpenIG to protect OpenIDM. We want to use SAML between OpenIG SP and our SAML IDP. In the prototype we are using OpenAM itself as the SAML IDP. We have followed the steps in OpenIG documentation to setup things. However, we want to use “unspecified” NameID format instead of the default “transient” NameID format used by default.
Is there a way to do this? We tried updating the $HOME/.openig/SAML/sp.xml to switch to “unspecified” NameID format, but we we are getting an error “SSO Failed: Service provider does not support name identifier format urn:oasis:names:tc:SAML:2.0:nameid-format:transient.”. This error is displayed when we are auto redirected to “/saml/SPInitiatedSSO” url. Does OpenIG only support “transient” NameID format? Is there a way to change this?
Sorry for a delayed answer.
The SAML support is really embedded in the OpenAM Fedlet that we pull and wrap in OpenIG.
Specific customizations of the Fedlet like the one you are trying to do, are probably possible but it might be faster and easier to ask on the OpenAM forum.