How to make Shibboleth IdP send an attribute in emailAddress format?

Question

I am trying to configure a Shibboleth identity provider to work with an existing SAML 2.0 service provider (I assume it's also Shibboleth), but it fails with an InvalidNameIDPolicy status and the following error message.

Required NameID format not supported

The AuthnRequest message has the following restriction.

<samlp:NameIDPolicy 
    AllowCreate="true" 
    Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>

How do I create an attribute of the desired type? How would I change the following attribute definition in attribute-resolver.xml to have the right format?

<resolver:AttributeDefinition xsi:type="ad:Simple" id="email" 
                              sourceAttributeID="EMAIL">
    <resolver:Dependency ref="myRef" />
    <resolver:AttributeEncoder xsi:type="enc:SAML1String" 
                               name="urn:mace:dir:attribute-def:mail"/> 
    <resolver:AttributeEncoder 
         xsi:type="enc:SAML2String" 
         name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail"/> 
</resolver:AttributeDefinition>

Thanks.

Answer 1

The answer is to add the following AttributeEncoder at the beginning of the list.

<resolver:AttributeEncoder 
     xsi:type="enc:SAML2StringNameID"
     nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />