Hi Mohamed,
Thanks for your prompt reply. I tried your proposed solution, but it is not working, still it shows auto-generated uuid value.
From federation logs, I noted that NameID is part of <stsuuser:RequestSecurityToken> from stsuu object as below, so stsuu.addPrincipalAttribute() mayn't work to replace NameID value.
<stsuuser:RequestSecurityToken>
</stsuuser:Attribute><stsuuser:Attribute name="Claims" type="com:tivoli:am:fim:sts:RST"><stsuuser:Value><wst:Claims Dialect="urn:ibm:names:ITFIM:saml" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"><fimc:Saml20Claims xmlns:fimc="urn:ibm:names:ITFIM:saml" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="<sp_acs_url>" AttributeConsumingServiceIndex="0" DefaultNameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" LoginOccurred="true" MustSignAssertion="true" ProtocolProfile="urn:oasis:names:tc:SAML:2:0:profiles:SSO" RequestedNameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SessionIndex="uuidd0212ece-c6a8-4ac3-b5b8-767b60cf3431" SessionNotOnOrAfter="2025-10-06T11:59:48Z" Target="<SP_Target_url>"><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://<fqdn>/isam/sps/demo-idp/saml20" SPNameQualifier="<SP_Identifier>">uuid1d3cd177-0198-1920-82f3-83df4fc59bac</saml:NameID></fimc:Saml20Claims></wst:Claims></stsuuser:Value>
Thanks
Regards
SK
------------------------------
Someswara Reddy Karem
------------------------------
Original Message:
Sent: Mon October 06, 2025 02:08 AM
From: Mohamed Ahmed
Subject: IBM Verify Identity Access - Set subject claim in Persistent nameid format
Hi,
Try the below :
// Import the STS Attribute class
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);
// 1. Extract the LDAP attribute from the STS-UU.
// Replace "employeeUniqueId" with the actual attribute name in your LDAP schema.
var empIdAttr = stsuu.getAttributeList().getAttribute("employeeUniqueId");
if (empIdAttr == null || empIdAttr.getValues().length == 0) {
// No value found; default to existing principal name
var existing = stsuu.getPrincipalName();
empId = (existing != null) ? existing : "";
} else {
// Use the first value of the LDAP attribute
var empId = empIdAttr.getValues()[0];
}
// 2. Add a Principal attribute of persistent NameID format
var nameIdFormat = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent";
stsuu.addPrincipalAttribute(
new Attribute("principalName", nameIdFormat, empId)
);
// Optionally override the SPNameQualifier or NameQualifier via context attributes:
// var spQualifier = "https://<sp-fqdn>";
// stsuu.addContextAttribute(
// new AttributeAssertion("ChangeSPNameQualifier", "urn:oasis:names:tc:SAML:2.0:assertion", spQualifier)
// );
------------------------------
Mohamed Ahmed
Original Message:
Sent: Sun October 05, 2025 08:11 PM
From: Someswara Reddy Karem
Subject: IBM Verify Identity Access - Set subject claim in Persistent nameid format
Hi,
We have a requirement to update NameID value in below SAML assertion, I configured Verify Access (on-prem) as IDP with persistent nameid format.
In SAML mapping rule, I tried to set principalName to one of LDAP custom attributes instead of auto-generated id ie. uuid2d5cd167-0198-1990-82f3-33df4fc59bnm
stsuu.setPrincipalName(nameID);
But it is not working, what is the best way to populate nameid subject value with ldap attribute? (for example set employeeUniqueId in NameID value)
as-it-is SAML assertion:
<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://<fqdn>/isam/sps/demo-idp/saml20" SPNameQualifier="https://<sp-fqdn>" >uuid2d5cd167-0198-1990-82f3-33df4fc59bnm</saml:NameID>
Expected SAML assertion:
<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://<fqdn>/isam/sps/demo-idp/saml20" SPNameQualifier="https://<sp-fqdn>" >empId1234</saml:NameID>
Thanks for your support.
------------------------------
Someswara Reddy Karem
------------------------------