When a user belongs to multiple ActiveDirectory groups, the login fails with the error Empty nameStrings not allowed the error in the logs is as follows:
WARN [org.opensaml.saml.common.binding.SAMLBindingSupport:93] - Relay state exceeds 80 bytes: https://www.google.com/a/XXXXXXX/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&ss=1<mpl=default<mplcache=2&emr=1&osid=1
WARN [net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstKerberos:226] - Profile Action ValidateUsernamePasswordAgainstKerberos: Login by XXX.XXXXXXXXX produced unknown exception
java.lang.IllegalArgumentException: Empty nameStrings not allowed
If I remove some groups in ActiveDirectory the user can login without problems, but if I add them back the error returns, I have checkd if I have circular groups but couldn't find any.
The sweet spot for number of groups seems to be 5 to 8 which is really small.
What can I do to provide more meaningful information to help correct the error?