How to ask for Shib IdP returning a urn:mace:shibboleth:1.0:nameIdentifier
Yaowen Tu
yaowen.tu at gmail.com
Wed Aug 1 20:38:10 EDT 2012
I think there might be some misleading communication. For
"nameIdentifiers", I am referring to
"urn:mace:shibboleth:1.0:nameIdentifier", not really the general NameID.
If I understand correctly, "nameIdentifier" is one type of NameID, there
are other types like persistent, transient, and so on. In the IdP metadata,
it specifies what types are supported.
What I want to know is, if SP specify transient, it is very clear that the
value will be a temporary number. but if SP specify
"urn:mace:shibboleth:1.0:nameIdentifier" as the format, SP still doesn't
know what will be the value inside the NameID. SP only knows that this
value can represent this user. It can be email address, give name, or what
ever. This is defined by IdP. Is that correct? Is there a place that
defined what can be put inside the "nameIdentifier" so IdP and SP will
follow this rule?
Also it says "urn.....shibboleth:1.0:nameIdentifier", does it mean it only
works for SAML1.0? If I send a SAML2.0 AuthnRequest, will IdP return this?
Best,
Yaowen
On Tue, Jul 31, 2012 at 6:36 PM, Kevin P. Foote <kpfoote at iup.edu> wrote:
>
> You can encode user name, email etc into a nameID yes. (see links)
>
> NameID requirements are specified in the metadata. Ex. The SP will
> specify what nameIdentifier format it will take / expect.
>
> I've only had to create/send out one or two custom nameIdentifiers.
> This usually happens when your dealing with someone elses (non
> Shibboleth project) implementation of SAML.
>
> The list archives also have lots of info/ threads on nameID formats and
> how the IdP goes through its selection process before creating the
> message.
>
>
> ------
> thanks
> kevin.foote
>
> On Tue, 31 Jul 2012, Yaowen Tu wrote:
>
> -> Thanks for your answer.
> ->
> -> It looks like IdP can put anything they want into the "nameIdentifier"
> like
> -> email, user name, or anything. Is it correct?
> ->
> -> If so, then how could SP know what will be in the nameIdentifier? Or SP
> -> needs to get this information in some other way from IdP?
> ->
> ->
> -> Yaowen
> ->
> ->
> -> On Tue, Jul 31, 2012 at 12:05 PM, Kevin P. Foote <kpfoote at iup.edu>
> wrote:
> ->
> -> >
> -> > You can encode different attributes (data) you have access to into
> -> > nameIdentifiers and then
> -> > send them out to the various RPs that require or request differing
> NameID
> -> > data..
> -> >
> -> > https://wiki.shibboleth.net/confluence/display/SHIB2/NameIDAttributes
> -> >
> -> >
> -> >
> https://wiki.shibboleth.net/confluence/display/SHIB2/IdPCustomNameIdentifier
> -> >
> -> >
> https://wiki.shibboleth.net/confluence/display/SHIB2/IdPNameIdentifier
> -> >
> -> > The IdPs default OOB config is to send the transientId as the NameID
> .. as
> -> > you have found.
> -> >
> -> > ------
> -> > thanks
> -> > kevin.foote
> -> >
> -> > On Tue, 31 Jul 2012, Yaowen Tu wrote:
> -> >
> -> > -> Hi,
> -> > ->
> -> > -> I have installed a sample Shib IdP, it is working in general. I am
> just
> -> > -> trying to explore a little more.
> -> > ->
> -> > -> >From the IdP metadata, I see this:
> -> > ->
> -> > <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
> -> > ->
> -> > ->
> -> > -> So I assume, if an SP send this AuthnRequest, I am supposed to get
> an
> -> > -> nameIdentifier from Assertion:
> -> > ->
> -> > -> <saml2p:AuthnRequest AssertionConsumerServiceURL="..."
> Destination="
> -> > -> https://localhost/idp/profile/SAML2/Redirect/SSO" ID="
> -> > -> _a90ed2b44c1d25860c411e0ab27a9edd"
> -> > -> IssueInstant="2012-07-31T18:21:28.759Z"
> -> > -> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> -> > Version="
> -> > -> 2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
> -> > -> <saml2:Issuer
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
> -> > -> .....
> -> > -> </saml2:Issuer>
> -> > -> <saml2p:NameIDPolicy AllowCreate="true" Format="
> -> > -> urn:mace:shibboleth:1.0:nameIdentifier"/>
> -> > -> </saml2p:AuthnRequest>
> -> > ->
> -> > ->
> -> > -> In reality, from Idp-process.log, I see this information:
> -> > ->
> -> > ->
> -> > ->
> -> > -> 11:22:01.373 - DEBUG
> -> > ->
> -> >
> [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:465]
> -> > -> - Attempting to select name identifier attribute for relying party
> '...'
> -> > -> that requires format 'urn:mace:shibboleth:1.0:nameIdentifier'
> -> > -> 11:22:01.374 - DEBUG
> -> > ->
> -> >
> [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:548]
> -> > -> - Filtering out potential name identifier attributes which do not
> -> > support
> -> > -> one of the following formats:
> [urn:mace:shibboleth:1.0:nameIdentifier]
> -> > -> 11:22:01.374 - DEBUG
> -> > ->
> -> >
> [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:567]
> -> > -> - Retaining attribute transientId which may be encoded as a name
> -> > identifier
> -> > -> of format urn:mace:shibboleth:1.0:nameIdentifier
> -> > -> 11:22:01.374 - DEBUG
> -> > ->
> -> >
> [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:672]
> -> > -> - Selecting attribute to be encoded as a name identifier by
> encoder of
> -> > type
> -> > ->
> -> >
> edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder
> -> > -> 11:22:01.374 - DEBUG
> -> > ->
> -> >
> [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:699]
> -> > -> - Selecting the first attribute that can be encoded in to a name
> -> > identifier
> -> > -> 11:22:01.374 - DEBUG
> -> > ->
> -> >
> [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:483]
> -> > -> - Name identifier for relying party '...' will be built from
> attribute
> -> > -> 'transientId'
> -> > -> 11:22:01.374 - DEBUG
> -> > ->
> -> >
> [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:864]
> -> > -> - Using attribute 'transientId' supporting NameID format
> -> > -> 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' to create the
> -> > NameID
> -> > -> for relying party '...'
> -> > ->
> -> > -> And in the Assertion, it is actually transient NameID.
> -> > ->
> -> > -> Can you tell me why? Do I need to make any other configuration to
> be
> -> > able
> -> > -> to get nameIdentifier?
> -> > ->
> -> > ->
> -> > -> Best,
> -> > -> Yaowen
> -> > ->
> -> > --
> -> > To unsubscribe from this list send an email to
> -> > users-unsubscribe at shibboleth.net
> -> >
> ->
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120801/15668734/attachment.html
More information about the users
mailing list