urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified requires SP Attribute map to federate the user

[TasosKampas]

When SAML2 Node is confiured with NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, the mapped attribute to this nameID, must be included in the SP Attribute mapping (i.e. AttributeStatement in the Assertion).
How to reproduce:

1. Configure an AM 6.5 as IDP. In the NameID value map, configure urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=uid
2. Configure an AM 6.5 as SP (adjust the Assertion Consumer Service URLs with the Auth prefix)
3. Configre an SAML Authentication tree and specify the nameID format as urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
4. Run the flow. After authenticating in IDP, you'll get a 'Login Failure' in the SP with NPE:

Caused by: java.lang.NullPointerException
        at org.forgerock.openam.auth.nodes.SAML2Node.SAML2Node.setupAttributes(SAML2Node.java:525)
        at org.forgerock.openam.auth.nodes.SAML2Node.SAML2Node.handleReturnFromRedirect(SAML2Node.java:470)
        at org.forgerock.openam.auth.nodes.SAML2Node.SAML2Node.process(SAML2Node.java:258)
        at org.forgerock.openam.auth.trees.engine.AuthTreeExecutor.process(AuthTreeExecutor.java:105)

(the stacktrace may be a little different depending on the version of the node you've built, but it should be coming from the #setupAttributes).

As a workaround, you can request the federated attribute to be also included as an attribute in the assertion. In both hosted/remote SP, update the SP attribute mapping accordingly e.g. uid=uid

Note, this is not happening when using the SAML module or AM 7 SAML node.