Cherwell is to replace HPSC for Support tickets, change management, etc. Audio conference 5 August 2014 with Sean Armstrong and Kevin Jacobson: Cherwell supports SAML authentication. Cherwell can provision internal accounts 'on the fly' from attributes in SAML assertion. https://cherwellsupport.com/webhelp/CSM_Webhelp_4.3_EN/index.htm#5379.htm describes integration for institution-based authentication using SAML with explicit reference to Shibboleth. Kevin Jacobson is primary vendor contact. Attribute release policy for Cherwell in $IDP_HOME/conf/attribute-filter.xml {{{ }}} Additional encoder for the UA Username to be encoded as a NameID with the format needed by Cherwell in $IDP_HOME/conf/attribute-resolver.xml {{{ }}} Initially the NameID was being encrypted in the SAML subject, and Cherwell was unable to decrypt that NameID” Cherwell returned the message in response to the SAML assertion from the UA IdP: SAML authentication failed: Required NameID format not supported. SAML status codes: urn:oasis:names:tc:SAML:2.0:status:Responder,urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy To avoid encryption of the NameID, I removed specific existing configuration phrases in $IDP_HOME/conf/relying-party.xml as follows: {{{ }}} Cherwell metadata provided and added to $IDP_HOME/metadata/sp-metadata.xml {{{ LbV9RU+E+vVOvzM0sTpUxbNdDLU= ... ... ... urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos }}}