How do I send Subject->NameID in "clear" text

Jason Holland jholland at olp.net
Tue Dec 27 20:05:55 GMT 2011


My ProfileConfiguration has encryptNameIds set to "never" so maybe I'm
making an amateur mistake with my configuration. To make it as simple as
possible I hard-coded a phone number in a static attribute and it is
still not being put in clear text in the response. Can someone take a
look at the config snippits I have included below and let me know if I'm
making a noob mistake? :)

************************************ BEGIN
*************************************
$IDPHOME/conf/relying-party.xml
========================================================================
========
<rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
includeAttributeStatement="true"
                         assertionLifetime="PT5M"
assertionProxyCount="0"
                         signResponses="never" signAssertions="always"
                         encryptAssertions="conditional"
encryptNameIds="never"/>


$IDPHOME/conf/attribute-resolver.xml
========================================================================
========
<resolver:DataConnector id="staticAttributes" xsi:type="Static"
xmlns="urn:mace:shibboleth:2.0:resolver:dc">
    <Attribute id="specialPhone">
        <Value>9185551212</Value>
    </Attribute>
</resolver:DataConnector>

<resolver:AttributeDefinition id="specialPhone"
xsi:type="ad:TransientId" sourceAttributeID="specialPhone">
    <resolver:Dependency ref="staticAttributes" />
    <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID"
nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</resolver:AttributeDefinition>


$IDPHOME/conf/attribute-filter.xml
========================================================================
========
<afp:AttributeFilterPolicy id="releaseSpecialPhoneToAnyone">
    <afp:PolicyRequirementRule xsi:type="basic:ANY"/>
    <afp:AttributeRule attributeID="specialPhone">
        <afp:PermitValueRule xsi:type="basic:ANY"/>
    </afp:AttributeRule>
</afp:AttributeFilterPolicy>


$IDPHOME/logs/idp-process.log
========================================================================
========
11:35:34.362 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2Prof
ileHandler:279] - Assertion to be encrypted is:
<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_e2865077d7b9b6c259e9f1e7652ab5e4"
IssueInstant="2011-12-27T17:35:34.290Z" Version="2.0">
   <saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.ex
ample.org/idp/shibboleth</saml2:Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
         <ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
         <ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
         <ds:Reference URI="#_e2865077d7b9b6c259e9f1e7652ab5e4">
            <ds:Transforms>
               <ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
               <ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
 
<ds:DigestValue>JN/H+RN03HUnWjq7BMTIPT5MuqE=</ds:DigestValue>
         </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>value removed for brevity</ds:SignatureValue>
      <ds:KeyInfo>
         <ds:X509Data>
            <ds:X509Certificate>value removed for
brevity</ds:X509Certificate>
         </ds:X509Data>
      </ds:KeyInfo>
   </ds:Signature>
   <saml2:Subject>
      <saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="https://idp.example.org/idp/shibboleth"
SPNameQualifier="http://sp1.example.loc/simplesaml/module.php/saml/sp/me
tadata.php/sp1">_e6894c264511ebac9320f2741774c3da</saml2:NameID>
      <saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
         <saml2:SubjectConfirmationData Address="127.0.0.1"
InResponseTo="_33f1a8556bb0166ad05d3929307f581e015f60f6d3"
NotOnOrAfter="2011-12-27T17:40:34.290Z"
Recipient="http://sp1.example.loc/simplesaml/module.php/saml/sp/saml2-ac
s.php/sp1"/>
      </saml2:SubjectConfirmation>
   </saml2:Subject>
   <saml2:Conditions NotBefore="2011-12-27T17:35:34.290Z"
NotOnOrAfter="2011-12-27T17:40:34.290Z">
      <saml2:AudienceRestriction>
 
<saml2:Audience>http://sp1.example.loc/simplesaml/module.php/saml/sp/met
adata.php/sp1</saml2:Audience>
      </saml2:AudienceRestriction>
   </saml2:Conditions>
   <saml2:AuthnStatement AuthnInstant="2011-12-27T17:35:34.262Z"
SessionIndex="9be3471366e0839dad0ffa98495dd9d53d027501d2192701a88870bf93
4ae9cf">
      <saml2:SubjectLocality Address="127.0.0.1"/>
      <saml2:AuthnContext>
 
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Passw
ordProtectedTransport</saml2:AuthnContextClassRef>
      </saml2:AuthnContext>
   </saml2:AuthnStatement>
</saml2:Assertion>
************************************* END
**************************************

Thanks,
Jason

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net]
On Behalf Of Nate Klingenstein
Sent: Friday, December 23, 2011 4:11 PM
To: Shib Users
Subject: Re: How do I send Subject->NameID in "clear" text

Jason,

You should find this configuration option in relying-party.xml.  In
particular, you're likely using the SAML 2.0 Web Browser SSO Profile to
communicate with this SP, so the relevant profile in relying- party.xml
is:

         <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
                               includeAttributeStatement="true"
                               assertionLifetime="PT5M"
                               assertionProxyCount="0"
                               signResponses="never"
                               signAssertions="always"
                               encryptAssertions="conditional"
                               encryptNameIds="never" />

I think the default for the IdP is and has been to not encrypt NameID's,
but rather to encrypt assertions.  Is something indicating to you that
your IdP is encrypting the NameID?  With recent versions of the IdP, you
can see the assertion as it's going out by uncommenting:

     <!-- Logs inbound and outbound protocols messages at DEBUG level  
-->
     <logger name="PROTOCOL_MESSAGE" level="DEBUG" />

in logging.xml.

You can configure this profile on a relying party basis if you are in
fact encrypting NameID's for some reason and want to preserve that
functionality.

https://wiki.shibboleth.net/confluence/display/SHIB2/IdPRelyingParty

Take care,
Nate.

On Dec 23, 2011, at 21:53 , Jason Holland wrote:

> I am trying to get my Shib IdP to work with an SP that requires a 
> phone number instead of the username used to authenticate. I think I 
> have it setup to send the phone number instead of the username because

> I can see the debug logs are saying that Shib is using the phone for 
> the NameID.
>
> The SP has an example response where the NameID is in clear, human 
> readable text so my question is what setting do I change to make it to

> where Shib sends the NameId as "clear" text in the response. I can't 
> find any documentation on this. Any hints?
>
> Thanks,
> Jason

--
To unsubscribe from this list send an email to
users-unsubscribe at shibboleth.net



More information about the users mailing list