Authenticating via kerberos (works fine)

IDP initiated SAML2 using Intersite Transfer Service

Want to send the CN from the user store as an attribute to the SAML2 SP
in the SAML subject's NameID attribute.

It seems so simple in this guide:
where the email address is sent as the nameid attribute.

NOTE I'm not integrating against salesforce, just the general gist of
the cool solution is similar enough to use as a guide (mostly)

I've configured an attribute set, with one attribute LDAP CN
Made sure it's configured to "Send with authentication"

Under "Authentication Response" - I've switched to post binding.

Made unspecified the default, and selected LDAP attribute CN as the value.

However when I look at the saml assertion in the log, I don't see any
nameID attribute.

Does the metadata from the third party SP need to include a
<NameIDFormat> element for this to work?

Any suggestions on how to debug this? (I already have SAML2 and
Application set to debug level in logging)

Alex McHugh
NetIQ Knowledge Partner

Please post questions in the forums. No support is provided via email.